.net core 如何在其他API localhost/SalesAPI中授权从localhost/UserManagement API生成的openiddict令牌
我已经在dotnetcoreapi中创建了openiddict令牌,该应用程序托管在localhost/UserManagementAPI上。当我尝试授权相同的API时,我就能够做到这一点。但当我尝试使用相同的令牌并授权其他API localhost/SalesAPI时,会出现未经授权的访问错误 令牌生成代码如下所示:UserManagementAPI/startup.cs.net core 如何在其他API localhost/SalesAPI中授权从localhost/UserManagement API生成的openiddict令牌,.net-core,oauth,openid-connect,openiddict,.net Core,Oauth,Openid Connect,Openiddict,我已经在dotnetcoreapi中创建了openiddict令牌,该应用程序托管在localhost/UserManagementAPI上。当我尝试授权相同的API时,我就能够做到这一点。但当我尝试使用相同的令牌并授权其他API localhost/SalesAPI时,会出现未经授权的访问错误 令牌生成代码如下所示:UserManagementAPI/startup.cs services.AddAuthentication().AddOpenIdConnectServer(options =
services.AddAuthentication().AddOpenIdConnectServer(options =>
{
options.TokenEndpointPath = "/authorize";
options.AllowInsecureHttp = true;
options.Provider.OnValidateTokenRequest = context =>
{
if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this server.");
return Task.CompletedTask;
}
if (string.IsNullOrEmpty(context.ClientId))
{
context.Skip();
return Task.CompletedTask;
}
if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
{
context.Validate();
}
return Task.CompletedTask;
};
options.Provider.OnHandleTokenRequest = context =>
{
if (context.Request.IsPasswordGrantType())
{
if (!string.Equals(context.Request.Username, "testusername", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "testpassword", StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return Task.CompletedTask;
}
var identity = new ClaimsIdentity(context.Scheme.Name,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString());
identity.AddClaim("userid", "1001",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
ticket.SetAccessTokenLifetime(TimeSpan.FromDays(1));
ticket.SetScopes(OpenIdConnectConstants.Scopes.Profile);
context.Validate(ticket);
}
return Task.CompletedTask;
};
});
services.AddOpenIddict();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "Bearer";
options.DefaultChallengeScheme = "Bearer";
}).AddOAuthValidation();
我添加了以下代码来验证localhost/SalesAPI startup.cs中的令牌
services.AddAuthentication().AddOpenIdConnectServer(options =>
{
options.TokenEndpointPath = "/authorize";
options.AllowInsecureHttp = true;
options.Provider.OnValidateTokenRequest = context =>
{
if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this server.");
return Task.CompletedTask;
}
if (string.IsNullOrEmpty(context.ClientId))
{
context.Skip();
return Task.CompletedTask;
}
if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
{
context.Validate();
}
return Task.CompletedTask;
};
options.Provider.OnHandleTokenRequest = context =>
{
if (context.Request.IsPasswordGrantType())
{
if (!string.Equals(context.Request.Username, "testusername", StringComparison.Ordinal) ||
!string.Equals(context.Request.Password, "testpassword", StringComparison.Ordinal))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid user credentials.");
return Task.CompletedTask;
}
var identity = new ClaimsIdentity(context.Scheme.Name,
OpenIdConnectConstants.Claims.Name,
OpenIdConnectConstants.Claims.Role);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, Guid.NewGuid().ToString());
identity.AddClaim("userid", "1001",
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Scheme.Name);
ticket.SetAccessTokenLifetime(TimeSpan.FromDays(1));
ticket.SetScopes(OpenIdConnectConstants.Scopes.Profile);
context.Validate(ticket);
}
return Task.CompletedTask;
};
});
services.AddOpenIddict();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "Bearer";
options.DefaultChallengeScheme = "Bearer";
}).AddOAuthValidation();
我不想使用授权服务器
通过以上代码,我可以从localhost/UserManagementAPI授权其他api(同一api负责生成令牌)
如果我在这里遗漏了什么,请告诉我。值得注意的是,您在这段代码中没有使用OpenIddict,但是,支持OpenIddict 1.x和2.x的低级OpenID Connect服务器中间件 如果资源服务器位于单独的应用程序中,则需要将该应用程序配置为使用与主应用程序相同的ASP.NET核心数据保护密钥。请参阅,以了解有关如何执行此操作的更多信息