Hybrid模式可以提供身份认证和API保护,将客户端认证方式和资源密码方式集成在一起。
修改Identityserver的客户端配置
将之前的ResourceOwnerPassword更改成Hybrid,并增加访问资源配置
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.Hybrid,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = {"http://localhost:5003/signin-oidc"},
PostLogoutRedirectUris = {"http://localhost:5003/signout-callback-oidc"},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
AllowOfflineAccess=true
}
其中AllowOfflineAccess允许通过刷新令牌的方式来实现长期的API访问
Identityserver的端口为5002
配置MvcClient
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5002";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code id_token";
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.ClaimActions.MapJsonKey("website","website");
});
要注意ResponseType设置成code id_token,表示使用混合流程,通过浏览器返回身份令牌
MvcClient的端口为5003
设置API
设置API的端口为5001
测试
输入http://localhost:5003,跳转到登录界面
输入之后可以查看权限范围
注意Application Access,这里必须要勾上API
可以看到得到了access_token
根据token获取对API的访问
这里我改造了homecontroller的ABOUT方法
public async Task<IActionResult> About()
{
var accessToken = await HttpContext.GetTokenAsync("access_token");
var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization=new AuthenticationHeaderValue("Bearer",accessToken);
var context = await httpClient.GetStringAsync("http://localhost:5001/identity");
ViewBag.json = JArray.Parse(context).ToString();
ViewData["Message"] = "Your application description page.";
return View();
}
点击about后,可以显示获取到api的信息
如果我们在登录后将api不勾选,这里就会报错
然后点击about后报没有授权信息。