Identityserver4 Identity Server 4上授权客户端的自定义终结点
我希望我的Identity Server 4服务器为一些注册的客户端提供附加服务(例如,Identityserver4 Identity Server 4上授权客户端的自定义终结点,identityserver4,Identityserver4,我希望我的Identity Server 4服务器为一些注册的客户端提供附加服务(例如,“MyAdditionalService”)。他们将通过在服务器上定义的自定义端点使用该服务 我正在考虑为我的服务定义一个API(例如,名为“myAdditionalService”),以便根据客户机的配置授予对此类服务的访问权。但是,我不确定如何限制对端点的访问(MVC-Action方法),只允许允许使用API的客户端(可能代表用户) 我发现我可以做到: services.AddAuthorization(
“MyAdditionalService”services.AddAuthorization(options =>
{
options.AddPolicy("MyAdditionalServicePolicy",
policy => policy.RequireClaim("scope",
"myAdditionalService"));
});
[Authorize(“MyAdditionalServicePolicy”)]更新:
我的web应用程序是一个具有网络身份的IdentityServer,它已经使用Asp.net核心身份验证机制。在本例中,如果my web app向某些注册客户端提供的附加服务是用户的Twitter好友列表(基于名为Twitter的控制器建模,操作名为ImportFriends),则api因此被称为“TwitterFriends” 根据下面的回复建议,我修改了我的
Configure()app.UseJwtBearerAuthentication()app.UseIdentity()app.UseIdentityServer() app.UseIdentity();
app.UseIdentityServer();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AuthenticationScheme = "Bearer",
Authority = Configuration["BaseUrl"],
Audience = "TwitterFriends",
RequireHttpsMetadata = false //TODO: make true, it is false for development only
});
// Add external authentication middleware below. To configure them please see http://go.microsoft.com/fwlink/?LinkID=532715
app.UseGoogleAuthentication(new GoogleOptions
{
AuthenticationScheme = "Google",
SignInScheme = "Identity.External", // this is the name of the cookie middleware registered by UseIdentity()
[Authorize(ActiveAuthenticationSchemes = "Identity.Application,Bearer")]
//[Authorize(ActiveAuthenticationSchemes = "Identity.Application")]
//[Authorize(ActiveAuthenticationSchemes = "Bearer")]
[SecurityHeaders]
public class TwitterController : Controller
{...
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[7]
Identity.Application was not authenticated. Failure message: Unprotect tic
ket failed
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A
uthorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes (Identity.Applicatio
n, Bearer).
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[12]
AuthenticationScheme: Identity.Application was challenged.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action IdentityServerWithAspNetIdentity.Controllers.TwitterContro
ller.ImportFriends (IdentityServerWithAspNetIdentity) in 86.255ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 105.2844ms 401
谢谢。请参阅此示例,了解如何在与IdentityServer相同的web应用程序中托管API 实际上,您需要添加JWT令牌验证处理程序:
services.AddAuthentication()
.AddJwtBearer(jwt=>
{
jwt.Authority=“身份服务器的基本地址”;
jwt.audium=“api名称”;
});
公共类TestController:ControllerBase
{
[路线(“测试”)]
[授权(AuthenticationSchemes=“持有人”)]
public IActionResult Get()
{
var claims=User.claims.Select(c=>new{c.Type,c.Value}).ToArray();
返回Ok(新的{message=“helloapi”,claims});
}
}
如果要强制执行其他授权策略,可以将其传递到[Authorize]属性或强制调用它。要实现这一点,首先必须编写一些策略。策略将定义特定api的可访问性边界。 因此,您将为注册的客户机分配一些作用域。假设作用域名称为“ApiOnlyForRegisteredClient” 因此,我们将创建以下策略:
services.AddAuthorization(options =>
{
options.SetRegisteredClientsPolicy();
}
[Authorize(AuthenticationSchemes = "Bearer", Policy = OpenIdPolicies.Clients.RegisteredClients)]
public async Task<ActionResult<T>> Post(int userId, [FromBody] List<int> simRoleIds)
{
}
[授权(AuthenticationSchemes=“Bearer”,Policy=OpenIdPolicies.Clients.RegisteredClients)]
公共异步任务Post(int userId,[FromBody]List simRoleIds)
{
}
.AddJwtBearer("Bearer", options =>
{
options.Authority = configuration["AuthorityAddresses"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["RequireHttpsMetadata"]);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey = new X509SecurityKey()
ValidAudiences = apiResources.Select(x => x.ResourceName).ToList(),
ValidIssuers = new List<string> { authorityAddressWithHttps.Uri.OriginalString, authorityAddressWithBasePathHttps.Uri.OriginalString, configuration["AuthorityAddresses"] }
};
})
.AddJwtBearer(“Bearer”,选项=>
{
options.Authority=配置[“AuthorityAddresses”];
options.RequireHttpsMetadata=Convert.ToBoolean(配置[“RequireHttpsMetadata]”);
options.TokenValidationParameters=新的Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey=new X509SecurityKey()
Validudiences=apiResources.Select(x=>x.ResourceName).ToList(),
ValidisUsers=新列表{authorityAddressWithHttps.Uri.OriginalString,authorityAddressWithBasePathHttps.Uri.OriginalString,配置[“AuthorityAddresses”]}
};
})
.AddJwtBearer("Bearer", options =>
{
options.Authority = configuration["AuthorityAddresses"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["RequireHttpsMetadata"]);
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
TokenDecryptionKey = new X509SecurityKey()
ValidAudiences = apiResources.Select(x => x.ResourceName).ToList(),
ValidIssuers = new List<string> { authorityAddressWithHttps.Uri.OriginalString, authorityAddressWithBasePathHttps.Uri.OriginalString, configuration["AuthorityAddresses"] }
};
})