IdentityServer4 Clients

原文地址

Clients 的定义

Client是指那些从 identityserver获取 token的应用

通常需要为client定义下面通用的设置

• 唯一的client id
• secret, 如果需要
• 允许交互的令牌服务(也叫做 grant type)
• 一个接收 identity 和/或 access token 的网络地址
• client 被允许访问的 一组 scope (也叫做resource)

Note 运行时，clients 通过 实现IClientStore 调用方法得到。这使得可以从任意的数据源获取client数据，比如 config 文件或者数据库。文档中使用 in-memory 版本的 client 存储方式。通过在ConfigureService中添加 AddInmemoryClients 扩展实现。

client for service to service communication 的定义

这个场景下没有用户操作- 一个service(aka client)试图和一个API(aka scope)进行交互。

public class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new List<Client>
        {
            new Client
            {
                ClientId = "service.client",
                ClientSecrets = { new Secret("secret".Sha256()) },

                AllowedGrantTypes = GrantTypes.ClientCredentials,
                AllowedScopes = { "api1", "api2.read_only" }
            }
        };
    }
}

定义基于浏览器的JavaScript客户端(例如SPA)来对用户进行身份验证和授权Api访问

这个 client 使用叫做 implicit 的流程从 JavaScript 请求 identity 和 access token

var jsClient = new Client
{
    ClientId = "js",
    ClientName = "JavaScript Client",
    ClientUri = "http://identityserver.io",

    AllowedGrantTypes = GrantTypes.Implicit,
    AllowAccessTokensViaBrowser = true,

    RedirectUris =           { "http://localhost:7017/index.html" },
    PostLogoutRedirectUris = { "http://localhost:7017/index.html" },
    AllowedCorsOrigins =     { "http://localhost:7017" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        IdentityServerConstants.StandardScopes.Email,

        "api1", "api2.read_only"
    }
};

定义基于服务端web应用程序(例如MVC)来对用户进行身份验证和授权Api访问

服务端(或者 本地桌面/手机)应用程序使用 hybrid flow. 这种方式最安全，因为access tokens 仅使用后台通信，而且允许刷新token

var mvcClient = new Client
{
    ClientId = "mvc",
    ClientName = "MVC Client",
    ClientUri = "http://identityserver.io",

    AllowedGrantTypes = GrantTypes.Hybrid,
    AllowOfflineAccess = true,
    ClientSecrets = { new Secret("secret".Sha256()) },

    RedirectUris =           { "http://localhost:21402/signin-oidc" },
    PostLogoutRedirectUris = { "http://localhost:21402/" },
    FrontChannelLogoutUri =  "http://localhost:21402/signout-oidc",

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        IdentityServerConstants.StandardScopes.Email,

        "api1", "api2.read_only"
    },
};

在 appsettings.json 中定义 clients

Asp.Net Core 配置文件

"IdentityServer": {
  "IssuerUri": "urn:sso.company.com",
  "Clients": [
    {
      "Enabled": true,
      "ClientId": "local-dev",
      "ClientName": "Local Development",
      "ClientSecrets": [ { "Value": "<Insert Sha256 hash of the secret encoded as Base64 string>" } ],
      "AllowedGrantTypes": [ "implicit" ],
      "AllowedScopes": [ "openid", "profile" ],
      "RedirectUris": [ "https://localhost:5001/signin-oidc" ],
      "RequireConsent": false
    }
  ]
}

AddInMemoryClients(configuration.GetSection("IdentityServer:Clients"))