Identityserver4 Identity Server 4上授权客户端的自定义终结点
我希望我的Identity Server 4服务器为一些注册的客户端提供附加服务(例如,Identityserver4 Identity Server 4上授权客户端的自定义终结点,identityserver4,Identityserver4,我希望我的Identity Server 4服务器为一些注册的客户端提供附加服务(例如,“MyAdditionalService”)。他们将通过在服务器上定义的自定义端点使用该服务 我正在考虑为我的服务定义一个API(例如,名为“myAdditionalService”),以便根据客户机的配置授予对此类服务的访问权。但是,我不确定如何限制对端点的访问(MVC-Action方法),只允许允许使用API的客户端(可能代表用户) 我发现我可以做到: services.AddAuthorization(
“MyAdditionalService”
)。他们将通过在服务器上定义的自定义端点使用该服务
我正在考虑为我的服务定义一个API(例如,名为“myAdditionalService”),以便根据客户机的配置授予对此类服务的访问权。但是,我不确定如何限制对端点的访问(MVC-Action方法),只允许允许使用API的客户端(可能代表用户)
我发现我可以做到:
services.AddAuthorization(options =>
{
options.AddPolicy("MyAdditionalServicePolicy",
policy => policy.RequireClaim("scope",
"myAdditionalService"));
});
并使用属性[Authorize(“MyAdditionalServicePolicy”)]
来修饰用于访问此类服务的操作方法。然而,我不知道服务器是否可以同时成为API,或者即使可能
我如何实现这一点?由于令牌服务保护对操作方法或端点的访问,因此令牌服务也扮演API的角色,这一点令人困惑
谢谢
更新:
我的web应用程序是一个具有网络身份的IdentityServer,它已经使用Asp.net核心身份验证机制。在本例中,如果my web app向某些注册客户端提供的附加服务是用户的Twitter好友列表(基于名为Twitter的控制器建模,操作名为ImportFriends),则api因此被称为“TwitterFriends” 根据下面的回复建议,我修改了我的
Configure()
方法,使其具有app.UseJwtBearerAuthentication()
。我已经有了app.UseIdentity()
和app.UseIdentityServer()
,如下所示:
app.UseIdentity();
app.UseIdentityServer();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AuthenticationScheme = "Bearer",
Authority = Configuration["BaseUrl"],
Audience = "TwitterFriends",
RequireHttpsMetadata = false //TODO: make true, it is false for development only
});
// Add external authentication middleware below. To configure them please see http://go.microsoft.com/fwlink/?LinkID=532715
app.UseGoogleAuthentication(new GoogleOptions
{
AuthenticationScheme = "Google",
SignInScheme = "Identity.External", // this is the name of the cookie middleware registered by UseIdentity()
在专用控制器上:
[Authorize(ActiveAuthenticationSchemes = "Identity.Application,Bearer")]
//[Authorize(ActiveAuthenticationSchemes = "Identity.Application")]
//[Authorize(ActiveAuthenticationSchemes = "Bearer")]
[SecurityHeaders]
public class TwitterController : Controller
{...
但我在日志中记下了这一点:
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[7]
Identity.Application was not authenticated. Failure message: Unprotect tic
ket failed
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A
uthorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes (Identity.Applicatio
n, Bearer).
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[12]
AuthenticationScheme: Identity.Application was challenged.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action IdentityServerWithAspNetIdentity.Controllers.TwitterContro
ller.ImportFriends (IdentityServerWithAspNetIdentity) in 86.255ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 105.2844ms 401
我尝试了不同的属性组合,但在这个场景中,Identity.Application和Bearer似乎不太合拍:得到401
感谢您的帮助。
谢谢。请参阅此示例,了解如何在与IdentityServer相同的web应用程序中托管API 实际上,您需要添加JWT令牌验证处理程序:
services.AddAuthentication()
.AddJwtBearer(jwt=>
{
jwt.Authority=“身份服务器的基本地址”;
jwt.audium=“api名称”;
});
在API本身上,必须选择JWT身份验证方案:
公共类TestController:ControllerBase
{
[路线(“测试”)]
[授权(AuthenticationSchemes=“持有人”)]
public IActionResult Get()
{
var claims=User.claims.Select(c=>new{c.Type,c.Value}).ToArray();
返回Ok(新的{message=“helloapi”,claims});
}
}
如果要强制执行其他授权策略,可以将其传递到[Authorize]属性或强制调用它。要实现这一点,首先必须编写一些策略。策略将定义特定api的可访问性边界。 因此,您将为注册的客户机分配一些作用域。假设作用域名称为“ApiOnlyForRegisteredClient” 因此,我们将创建以下策略:
services.AddAuthorization(options =>
{
options.SetRegisteredClientsPolicy();
}
及
一旦完成,您就完成了策略创建
确保在创建访问令牌时,将相同的值“ApiOnlyForRegisteredClients”放入范围声明中
现在我们必须添加一个api并用[Authorize]属性标记它
[Authorize(AuthenticationSchemes = "Bearer", Policy = OpenIdPolicies.Clients.RegisteredClients)]
public async Task<ActionResult<T>> Post(int userId, [FromBody] List<int> simRoleIds)
{
}
[授权(AuthenticationSchemes=“Bearer”,Policy=OpenIdPolicies.Clients.RegisteredClients)]
公共异步任务Post(int userId,[FromBody]List simRoleIds)
{
}
现在我们必须添加jwt认证中间件
.AddJwtBearer("Bearer", options =>
{
options.Authority = configuration["AuthorityAddresses"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["RequireHttpsMetadata"]);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey = new X509SecurityKey()
ValidAudiences = apiResources.Select(x => x.ResourceName).ToList(),
ValidIssuers = new List<string> { authorityAddressWithHttps.Uri.OriginalString, authorityAddressWithBasePathHttps.Uri.OriginalString, configuration["AuthorityAddresses"] }
};
})
.AddJwtBearer(“Bearer”,选项=>
{
options.Authority=配置[“AuthorityAddresses”];
options.RequireHttpsMetadata=Convert.ToBoolean(配置[“RequireHttpsMetadata]”);
options.TokenValidationParameters=新的Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey=new X509SecurityKey()
Validudiences=apiResources.Select(x=>x.ResourceName).ToList(),
ValidisUsers=新列表{authorityAddressWithHttps.Uri.OriginalString,authorityAddressWithBasePathHttps.Uri.OriginalString,配置[“AuthorityAddresses”]}
};
})
My web app是一个具有网络身份的IdentityServer,它已经使用Asp.net核心身份验证机制。我不确定在使用第二个身份验证通道(我刚刚了解了所有这些)时是否会发生冲突。当将AddJwtBearer(app.UseJwtBearerAuthentication for.net core 1.1)与我在IdentityServer上拥有的身份验证和网络身份验证相结合时,我得到了401。不知道怎么了。我更新了问题,提供了关于我尝试过的内容和我得到的日志的更多信息。感谢您的帮助。谢谢
.AddJwtBearer("Bearer", options =>
{
options.Authority = configuration["AuthorityAddresses"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["RequireHttpsMetadata"]);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey = new X509SecurityKey()
ValidAudiences = apiResources.Select(x => x.ResourceName).ToList(),
ValidIssuers = new List<string> { authorityAddressWithHttps.Uri.OriginalString, authorityAddressWithBasePathHttps.Uri.OriginalString, configuration["AuthorityAddresses"] }
};
})