C# 如何在identityserver中基于客户端保护api资源上的端点
我有自己的授权服务器,构建在topidentityserver4上,我希望在这里保护主机上的所有API。该系统只是google开发者或facebook开发者的简单模仿,应用程序所有者注册并获取客户端id和客户端机密,以便在API上获得访问许可 因此,我在identityserver4示例上遵循了客户端凭据流。一切正常。我为应用程序所有者构建了一个公共UI,用于创建应用程序并选择从应用程序访问哪些API。我使用C# 如何在identityserver中基于客户端保护api资源上的端点,c#,identityserver4,asp.net-core-3.0,C#,Identityserver4,Asp.net Core 3.0,我有自己的授权服务器,构建在topidentityserver4上,我希望在这里保护主机上的所有API。该系统只是google开发者或facebook开发者的简单模仿,应用程序所有者注册并获取客户端id和客户端机密,以便在API上获得访问许可 因此,我在identityserver4示例上遵循了客户端凭据流。一切正常。我为应用程序所有者构建了一个公共UI,用于创建应用程序并选择从应用程序访问哪些API。我使用IConfigurationDbContext在identityserver的内部表上执
IConfigurationDbContextnew ApiResource("commonserviceapi", "Common Service API")
{
Scopes = {
new Scope("calender_api", "Calender Api"),
new Scope("employee_api", "Employee Api"),
new Scope("organization_api", "Organization Api"),
}
}
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryCaching()
.AddOperationalStore(storeOpitons =>
{
storeOpitons.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("Default"),
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddConfigurationStore(storeOptions =>
{
storeOptions.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("Default"),
sql => sql.MigrationsAssembly(migrationsAssembly));
});
services.AddAuthentication("Bearer").AddJwtBearer(opt => {
opt.Authority = "http://localhost:5000";
opt.Audience = "employee_api";
opt.RequireHttpsMetadata = false;
});
services.AddAuthentication("Bearer").AddJwtBearer(opt =>
{
opt.Authority = "http://localhost:5000";
opt.Audience = "commonserviceapi";
opt.RequireHttpsMetadata = false;
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiEmployee", builder =>
{
builder.RequireScope("employee_api");
});
options.AddPolicy("ApiOrganization", builder =>
{
builder.RequireScope("organization_api");
});
});
public IActionResult SaveApp(ClientViewModel model, List<SelectedApi> selectedApis)
{
//ommited for brevity
Client client = new Client
{
Description = model.Description,
ClientName = model.Name,
RedirectUris = new[] { model.CallBackUri }
};
client.AllowedScopes = selectedApis.Where(a => a.apiValue == "true").Select(a => a.apiName).ToList();
//e.g : client.AllowedScopes = {"employee_api"};
_isRepository.SaveClient(client, userApp);
}
[Authorize]
[Route("api/[controller]")]
[ApiController]
public class EmployeeController : BaseController
{
private readonly IEmployeeRepository _employeeRepoistory;
public EmployeeController(IServiceProvider provider, IEmployeeRepository employeeRepository) : base(provider)
{
_employeeRepoistory = employeeRepository;
}
[HttpGet]
public IActionResult GetEmployees([FromQuery] EmployeeResourceParameter parameter)
{
return Ok(_mapper.Map<IEnumerable<EmployeeModel>>(_employeeRepoistory.GetAll(parameter)));
}
[HttpGet("{id:int}")]
public IActionResult GetEmployeeById(int id)
{
var emp = _employeeRepoistory.GetById(id);
return Ok(_mapper.Map<EmployeeModel>(emp));
}
}
[授权]
[路由(“api/[控制器]”)]
[ApiController]
公共类EmployeeController:BaseController
{
私人只读雇员档案(employeerepository);;
公共EmployeeController(IServiceProvider提供程序、IEEmployeeRepository employeeRepository):基本(提供程序)
{
_employeeRepository=employeeRepository;
}
[HttpGet]
public IActionResult GetEmployees([FromQuery]EmployeeResourceParameter参数)
{
返回Ok(_mapper.Map(_employeerepostory.GetAll(参数));
}
[HttpGet(“{id:int}”)]
公共IActionResult GetEmployeeById(内部id)
{
var emp=_employeerepostory.GetById(id);
返回Ok(_mapper.Map(emp));
}
}
我终于完成了。。首先,我意识到掌握
apirource->Scopes客户机->允许的Scopesnew ApiResource("commonserviceapi", "Common Service API")
{
Scopes = {
new Scope("calender_api", "Calender Api"),
new Scope("employee_api", "Employee Api"),
new Scope("organization_api", "Organization Api"),
}
}
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryCaching()
.AddOperationalStore(storeOpitons =>
{
storeOpitons.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("Default"),
sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddConfigurationStore(storeOptions =>
{
storeOptions.ConfigureDbContext = builder =>
builder.UseSqlServer(Configuration.GetConnectionString("Default"),
sql => sql.MigrationsAssembly(migrationsAssembly));
});
services.AddAuthentication("Bearer").AddJwtBearer(opt => {
opt.Authority = "http://localhost:5000";
opt.Audience = "employee_api";
opt.RequireHttpsMetadata = false;
});
services.AddAuthentication("Bearer").AddJwtBearer(opt =>
{
opt.Authority = "http://localhost:5000";
opt.Audience = "commonserviceapi";
opt.RequireHttpsMetadata = false;
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiEmployee", builder =>
{
builder.RequireScope("employee_api");
});
options.AddPolicy("ApiOrganization", builder =>
{
builder.RequireScope("organization_api");
});
});
[Authorize(Policy = "ApiEmployee")]
[Route("api/[controller]")]
[ApiController]
public class EmployeeController : BaseController
{
...
RequireScopeIdentityServer4.AccessTokenValidation最后,这对我来说是一个令人困惑的问题;从服务器请求访问令牌时,作用域参数应为空,因为identityserver从客户端的allowdScopes值获取该参数。几乎所有样本都填写了此字段,因此您认为应该填写。最后一句话不正确。根据规范,scope参数可能为空,但也允许它请求特定的作用域。它不必是空的。不知道你为什么认为应该这样。文档中令人困惑的是,它们使用了一个同名的资源/范围。确保使用的是作用域名称,而不是资源名称。作用域名称用于确定访问群体(资源名称),而每个请求的作用域被添加为声明
scope=employee\u api