zoukankan      html  css  js  c++  java
  • IdentityServer4专题之七:Authorization Code认证模式

    (1)identityserver4授权服务器端

    public static class Config

        {

           public static IEnumerable<IdentityResource> GetIdentityResources()

            {

                return new IdentityResource[]

                {

                    new IdentityResources.OpenId(),

                    new IdentityResources.Profile(),

                    new IdentityResources.Email(),

                    new IdentityResources.Phone(),

                    new IdentityResources.Address(),

                };

            }

            public static IEnumerable<ApiResource> GetApis()

            {

                return new ApiResource[]

                {

                    new ApiResource("api1", "My API #1")

                };

            }

            public static IEnumerable<Client> GetClients()

            {

                return new[]

                {              

                    new Client

                    {

                        ClientId="mvc client",

                        ClientName="ASP.NET Core MVC Client",

                        AllowedGrantTypes=GrantTypes.CodeAndClientCredentials,

                        ClientSecrets={new Secret( "mvc secret".Sha256())},

                        RedirectUris={"http://localhost:5002/signin-oidc"},

                        FrontChannelLogoutUri="http://localhost:5002/signout-oidc",

                        PostLogoutRedirectUris={"http://localhost:5002/signout-callback-oidc"},

                        AlwaysIncludeUserClaimsInIdToken=true,//将用户所有的claims包含在IdToken内

                        AllowOfflineAccess=true,//offline_access,其实指的是能否用refreshtoken重新申请令牌

                        AllowedScopes =

                        {

                            "api1",

                            IdentityServerConstants.StandardScopes.OpenId,

                            IdentityServerConstants.StandardScopes.Profile,

                            IdentityServerConstants.StandardScopes.Address,

                            IdentityServerConstants.StandardScopes.Phone,

                            IdentityServerConstants.StandardScopes.Email

                        }

                    }             

                };

            }

       }

     

    (2)客户端,还是需要安装IdentityModel库,

    startup.csConfigurServices一节,需要做如下添加

    //关闭默认映射,否则它可能修改从授权服务返回的各种claim属性

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();    

    //添加认证服务,并设置其有关选项

           services.AddAuthentication(options =>

                {

    //客户端应用设置使用"Cookies"进行认证

                    options.DefaultScheme =CookieAuthenticationDefaults.AuthenticationScheme ;   

    //identityserver4设置使用"oidc"进行认证

                 options.DefaultChallengeScheme =OpenIdConnectDefaults.AuthenticationScheme ;

                }).AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)

    //对使用的OpenIdConnect进行设置,此设置与Identityserver的config.cs中相应client配置一致才可能登录授权成功

                .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options=> {

                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                    options.Authority = "http://localhost:5000";

                    options.RequireHttpsMetadata = false;

                    options.ClientId = "mvc client";

                    options.ClientSecret = "mvc secret";

                    options.SaveTokens = true;

                    options.ResponseType = "code";

     

                    options.Scope.Clear();

                    options.Scope.Add("api1");

                    options.Scope.Add(OidcConstants.StandardScopes.OpenId);//"openid"

                    options.Scope.Add(OidcConstants.StandardScopes.Profile);//"profile"

                    options.Scope.Add(OidcConstants.StandardScopes.Address);

                    options.Scope.Add(OidcConstants.StandardScopes.Email);

                    options.Scope.Add(OidcConstants.StandardScopes.Phone);

    // 与identity server的AllowOfflineAccess=true,对应。offline_access,指的是能否用refreshtoken重新申请令牌

                    options.Scope.Add(OidcConstants.StandardScopes.OfflineAccess);               

                });

    Confiure一节,app.UseMvc之前添加如下内容:

    app.UseAuthentication();

    然后,在controller中使用时,按如下方式:    通常需如下引用

    using System;

    using System.Collections.Generic;

    using System.Diagnostics;

    using System.Linq;

    using System.Net.Http;

    using System.Threading.Tasks;

    using IdentityModel.Client;

    using Microsoft.AspNetCore.Authentication;

    using Microsoft.AspNetCore.Authentication.Cookies;

    using Microsoft.AspNetCore.Authentication.OpenIdConnect;

    using Microsoft.AspNetCore.Authorization;

    using Microsoft.AspNetCore.Mvc;

    using Microsoft.IdentityModel.Protocols.OpenIdConnect;

    using MvcClient.Models;

     

    //获取AccessToken、IdToken、RefreshToken时:

    [Authorize]

            public async Task<IActionResult> Privacy()

            {

                var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);

                var idToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.IdToken);

                var refreshToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);

                var authorizationCode = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.Code);

                ViewData["idToken"] = idToken;

                ViewData["refreshToken"] = refreshToken;

                ViewData["accessToken"] = accessToken; 

                return View();

            }

     

    //访问Api资源时

    public async Task<IActionResult> AccessApi()

            {

                var client = new HttpClient();

                var disco = await client.GetDiscoveryDocumentAsync("http://localhost:5000");

                ViewData["disco"] = disco.Error;

                if (disco.IsError)

                {

                    ViewData["disco"] = disco.Error;

                    return View();

                }

                var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);

                client.SetBearerToken(accessToken);

                var response = await client.GetAsync("http://localhost:5001/api/values");

                if (!response.IsSuccessStatusCode)

                {

                    ViewData["response_error"] = response.StatusCode;

                    return View();

                }

                ViewData["response-content"] = await response.Content.ReadAsStringAsync();

                return View();

            }

     

     

           从客户端及identityserver4登出时:

            public async Task<IActionResult> Logout()

            {

                await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

                await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);

                return View();

            }

    如果登出需要跳转回到客户端应用网站,则需在将IdentityServer4的命名空间IdentityServer4.Quickstart.UI下的AccountOptions类中

    public static bool AutomaticRedirectAfterSignOut = true; 

    这样,从identityserver登出后,将自动跳转到客户应用页面。

    见贤思齐,见不贤而自省
  • 相关阅读:
    VIJOS-P1340 拯救ice-cream(广搜+优先级队列)
    uva 11754 Code Feat
    uva11426 GCD Extreme(II)
    uvalive 4119 Always an Interger
    POJ 1442 Black Box 优先队列
    2014上海网络赛 HDU 5053 the Sum of Cube
    uvalive 4795 Paperweight
    uvalive 4589 Asteroids
    uvalive 4973 Ardenia
    DP——数字游戏
  • 原文地址:https://www.cnblogs.com/Sweepingmonk/p/10868773.html
Copyright © 2011-2022 走看看