2021,祝大家新年快乐!!!
2021年了,新的一年应该有新的计划,我的计划是准备去学习微服务,所以我将我自己的博客项目拆分成了一个微服务项目,用来给自己学习,项目地址:http://www.ttblog.site/。之前做的一个认证服务比较简单,只是单纯的生成jwtToken,所以想改造下。看了很多资料,发现了.net下的一个基于 OpenID Connect 和 OAuth 2.0 认证框架:IdentityServer4,所以就查了一下资料就用在了我的项目上。因为我也是刚刚学习IdentityServer4,所以如果有说错的地方希望大家指出。
我的想法是不想让我的api裸奔,所以要加个认证,不是谁都可以调用我的apide1,这里我选择了IdenttiyServer4的客户端凭据许可模式(client_credentials),这里推荐一个文章:https://www.cnblogs.com/ddrsql/p/7789064.html。因为我觉得这种模式正好符合自己的要求,对于其它的模式我也只是了解过,但是并没有实践过。
第一步:搭建一个IdentityServer服务器
添加IdentityServer4的nuget包。然后我添加了一个idenityserver.json的文件用来配置一些认证资源
{ "WebApi": { "ApiResource": "",
"ApiScope": "", "Client": { "ClientId": "", "ClientName": "", "ClientSecrets": "", "AllowedGrantTypes": "", "AllowedScopes": "", "AccseeTokenTime": "" //单位秒 } } }
然后添加ApiConfig类:
using Core.Configuration; using IdentityServer4; using IdentityServer4.Models; using Microsoft.Extensions.Configuration; using System; using System.Collections.Generic; using System.Linq; using System.Text; using static IdentityServer4.IdentityServerConstants; namespace Core.Auth.IdentityServer4 { public class ApiConfig { public static IConfiguration Configuration = ConfigureProvider.configuration; private static string[] ApiNames = { "WebApi" }; /// <summary> /// Define which APIs will use this IdentityServer /// </summary> /// <returns></returns> public static IEnumerable<ApiResource> GetApiResources() { List<ApiResource> apiResources = new List<ApiResource>(); foreach (var item in ApiNames) { var configuration = Configuration.GetSection(item); string name = configuration.GetSection("ApiResource").Value; string[] scopes = configuration.GetSection("ApiScope").Value.Split(","); ApiResource apiResource = new ApiResource(name, name) { Scopes = scopes }; apiResources.Add(apiResource); } return apiResources; } public static IEnumerable<ApiScope> GetApiScopes() { List<ApiScope> apiScopes = new List<ApiScope>(); foreach (var item in ApiNames) { var configuration = Configuration.GetSection(item); string[] names = configuration.GetSection("ApiScope").Value.Split(","); foreach(var name in names) { ApiScope apiScope = new ApiScope(name, name); apiScopes.Add(apiScope); } } return apiScopes; } /// <summary> /// Define which Apps will use thie IdentityServer /// </summary> /// <returns></returns> public static IEnumerable<Client> GetClients() { List<Client> clients = new List<Client>(); foreach(var item in ApiNames) { var configuration = Configuration.GetSection(item); string clientId = configuration["Client:ClientId"]; string clientName = configuration["Client:ClientName"]; Secret[] secrets = configuration["Client:ClientSecrets"].Split(',').Select(s=>new Secret(s.Sha256())).ToArray() ; string[] grantTypes = configuration["Client:AllowedGrantTypes"].Split(","); List<string> allowedScopes = configuration["Client:AllowedScopes"].Split(',').ToList(); //allowedScopes.Add(IdentityServerConstants.StandardScopes.OpenId); //allowedScopes.Add(IdentityServerConstants.StandardScopes.Profile); allowedScopes.Add(StandardScopes.OfflineAccess); int accseeTokenTime =Convert.ToInt32(configuration["Client:AccseeTokenTime"]); Client client = new Client(); client.ClientId = clientId; client.ClientName = clientName; client.ClientSecrets = secrets; client.AllowedGrantTypes = grantTypes; client.AllowedScopes = allowedScopes; client.AccessTokenLifetime = accseeTokenTime; client.AllowOfflineAccess = true; clients.Add(client); } return clients; } /// <summary> /// Define which IdentityResources will use this IdentityServer /// </summary> /// <returns></returns> public static IEnumerable<IdentityResource> GetIdentityResources() { return new List<IdentityResource> { new IdentityResources.OpenId(), new IdentityResources.Profile(), }; } } }
这里有个问题,我网上百度的很多人写的就是 ApiResource apiResource = new ApiResource(name, name);就好了,但是我这里不行,如果不像下面这样写的话就一直401,然后看控制台提示“
IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[7]
WebApiAuthKey was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'.
”不知道是不是因为我集成了Ocelot的原因,也有人说是IdentityServer4的4.0版本之后都要这样写
ApiResource apiResource = new ApiResource(name, name) { Scopes = scopes };
然后开始添加服务认
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.PlatformAbstractions; namespace Core.Auth.IdentityServer4 { public static class ConfigureIdentityServer4 { public static IServiceCollection AddIdentityServer4(this IServiceCollection services) { string basePath = PlatformServices.Default.Application.ApplicationBasePath; IIdentityServerBuilder identityServerBuilder = services.AddIdentityServer(); identityServerBuilder.AddDeveloperSigningCredential(); identityServerBuilder.AddInMemoryIdentityResources(ApiConfig.GetIdentityResources()) .AddInMemoryApiResources(ApiConfig.GetApiResources()) .AddInMemoryClients(ApiConfig.GetClients()) .AddInMemoryApiScopes(ApiConfig.GetApiScopes()); return services; } } }
以上步骤弄完之后,你用postman访问http://localhost:5003/.well-known/openid-configuration,出现一下内容代表搭建成功:,
第二步:网关添加认证:
最开始我想的是每一个服务都取添加注册认证服务,这样当然可以实现,但是这样网关悠悠什么用的。我对微服务的理解是,应该所有的请求通过网关,网关应该是是对外的,任何人都不应该知道具体的服务地址,包括认证授权,网关就应该起到一个对api的保护作用。所以我放弃了这种想法,转而去针对网关实现对认证服务的注册,很幸运,ocelot也支持identityserver,只需要简单的配置,如下部分截图:
然后添加配置节点:
"IdentityService": { "Uri": "http://localhost:5003",//自己的认证服务地址,网关的地址为5000 "UseHttps": false, "ApiName": { "WebApi": "WebApi" } }
并且在Startup里面添加如下代码:
#region IdentityServerAuthenticationOptions => need to refactor Action<IdentityServerAuthenticationOptions> webOption = option => { option.Authority = Configuration["IdentityService:Uri"]; option.ApiName = Configuration["IdentityService:ApiName:WebApi"]; option.RequireHttpsMetadata = Convert.ToBoolean(Configuration["IdentityService:UseHttps"]); }; services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication("WebApiAuthKey", webOption);
到此,可以说已经是初步完成了服务的认证,我这里并没有授权操作,所以就不谈授权。
第三步 :请求获取token
我们通过postman直接访问http://localhost:5003/connect/token,然后输入必要的参数,具体的操作可以网上百度,当然可以获取token。当是我这里是要结合我自己的项目,其中肯定不想让自己设定的一些关键信息如ClientId和Secret让别人知道,放到js里面,别人直接f12查看源码就知道了,所以我的想法是通过nginx设置header的方式,这样就可以了。如下:
location /auth/credentials/token { proxy_set_header client_secret ""; proxy_set_header client_id ""; proxy_pass http://127.0.0.1:5000; } //我这里是通过Ocelot转发到认证服务的,不要盲目复制
然后认证服务新加一个api
using Core.Auth; using Core.Common.EnumExtensions; using Core.Common.Http; using IdentityModel.Client; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Options; using Microsoft.Extensions.Primitives; using Newtonsoft.Json; using System; using System.Collections.Generic; using System.IdentityModel.Tokens.Jwt; using System.Linq; using System.Net.Http; using System.Security.Claims; using System.Threading.Tasks; namespace BlogAuthApi { [Route("api/auth")] [ApiController] public class AuthController: ControllerBase { private IHttpClientFactory _httpClientFactory; public AuthController(IHttpClientFactory httpClientFactory) { _httpClientFactory = httpClientFactory; } //[Route("token")] //[HttpGet] //public ApiResult GetToken() //{ // DateTime now = DateTime.Now; // var claims = new Claim[] // { // // 声明主题 // new Claim(JwtRegisteredClaimNames.Sub, "Blog"), // //JWT ID 唯一标识符 // new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()), // // 发布时间戳 issued timestamp // new Claim(JwtRegisteredClaimNames.Iat, now.ToUniversalTime().ToString(), ClaimValueTypes.Integer64) // }; // JwtToken jwtToken = Jwt.GetToken(claims); // return ApiResult.Success(jwtToken); //} [Route("credentials/token")] [HttpGet] public async Task<ApiResult> GetToken() { Request.Headers.TryGetValue("client_id", out StringValues clientId); Request.Headers.TryGetValue("client_secret", out StringValues clientSecret); HttpClient httpClient= _httpClientFactory.CreateClient(); Dictionary<string, string> headers = new Dictionary<string, string>(); headers.Add("client_id", clientId); headers.Add("client_secret", clientSecret); headers.Add("grant_type", "client_credentials"); FormUrlEncodedContent content = new FormUrlEncodedContent(headers); var response=await httpClient.PostAsync("http://localhost:5003/connect/token",content); if (!response.IsSuccessStatusCode) return ApiResult.Error(HttpStatusCode.BAD_REQUEST, response.StatusCode.GetEnumText()); var responseString=await response.Content.ReadAsStringAsync(); dynamic result = JsonConvert.DeserializeObject<dynamic>(responseString); int expires = result.expires_in; int minutes = new TimeSpan(0, 0, expires).Minutes; string token = result.access_token; JwtToken jwtToken = new JwtToken(token, minutes, DateTime.Now); return ApiResult.Success(jwtToken); } } }
这一样,我算是完成了自己的认证保护api的功能。
接下来我们测试一下,访问接口,我这里nginx代理我本地的80端口
获取到token,然后请求自己的接口,成功请求了:
接下来输入一个错误的token,我在token上加上23456,或者不加token,发现直接401了
,
然后过一段时间在访问,因为token已经过期了,所以也会401,我们看控制台输出
这里有个问题,因为我设置的两分钟过期,但是两分钟过后并不会真的立刻过期,具体的原因参考:https://www.cnblogs.com/stulzq/p/8998274.html.
我还没有具体的用在我的站点上面,因为我还没有弄IdentityServer4的证书,只是我本地用postman测试了下,我也是初步学习IdentityServer4,如果有不合理或错误的地方希望大家指出,欢迎大家访问我的站点:天天博客