在上一篇中配置一个基础的idrserver服务端
这篇文章将对服务端做一些变化,这里我先贴一下上一章中的代码
证书:
static class Certificate { public static X509Certificate2 Get() { var assembly = typeof(Certificate).Assembly; using (var stream = assembly.GetManifestResourceStream("OAuthWeb.IdrConfig.idsrv3test.pfx")) { return new X509Certificate2(ReadStream(stream), "idsrv3test"); } } private static byte[] ReadStream(Stream input) { byte[] buffer = new byte[16 * 1024]; using (MemoryStream ms = new MemoryStream()) { int read; while ((read = input.Read(buffer, 0, buffer.Length)) > 0) { ms.Write(buffer, 0, read); } return ms.ToArray(); } } }
Clients:
public class Clients { public static IEnumerable<Client> Get() { return new[] { //js客户端 new Client { Enabled = true, ClientName = "JS Client", ClientId = "js", Flow = Flows.Implicit, RedirectUris = new List<string> { "http://192.168.0.42:44319/Home/Contact" }, AllowedCorsOrigins = new List<string> { "http://localhost:20241" }, AllowAccessToAllScopes = true }, //客户端模式(client credentials) new Client { ClientName = "Silicon-only Client", ClientId = "silicon", Enabled = true, AccessTokenType = AccessTokenType.Reference, Flow = Flows.ClientCredentials, ClientSecrets = new List<Secret> { new Secret("F621F470-9731-4A25-80EF-67A6F7C5F4B8".Sha256()) }, //指明该注册client允许的scopes AllowedScopes = new List<string> { "api1" } }, //密码模式(resource owner password credentials) new Client { ClientName = "Silicon on behalf of Carbon Client", ClientId = "carbon", Enabled = true, AccessTokenType = AccessTokenType.Reference, Flow = Flows.ResourceOwner, ClientSecrets = new List<Secret> { new Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) }, AllowedScopes = new List<string> { "api1" } }, //简化模式(implicit) new Client { Enabled = true, ClientName = "SSO", ClientId = "mvc", Flow = Flows.Implicit, RequireConsent=false, ClientSecrets=new List<Secret> { new Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) }, AllowedScopes = new List<string> { Constants.StandardScopes.OpenId, Constants.StandardScopes.Profile } } }; } }
Scopes:
public class Scopes { public static List<Scope> Get() { return new List<Scope> { IdentityServer3.Core.Models.StandardScopes.OpenId, IdentityServer3.Core.Models.StandardScopes.Profile, //注册一个新的scope,在注册client时会指明只允许这个api1的scope,客户端在请求token的时候会指明申请的scope new Scope { Name = "api1" } }; } }
users:
public class Users { public static List<InMemoryUser> Get() { return new List<InMemoryUser> { new InMemoryUser { Username = "bob", Password = "secret", Subject = "1", Claims = new[] { new Claim(Constants.ClaimTypes.GivenName, "Bob"), new Claim(Constants.ClaimTypes.FamilyName, "Smith"), new Claim(Constants.ClaimTypes.Email, "bob.smith@email.com") } }, new InMemoryUser { Username = "alice", Password = "secret", Subject = "2" } }; } }
结合上一章节贴了一些代码,代码中略有删减
有了这个idrserver 怎么来做自己的SSO呢?
如我有一个网站A 需要IdrServer提供认证, 现在涉及到了OpenID
新建一个站点A 添加nuget包
Microsoft.Owin.Security.Cookies;
Microsoft.Owin.Security.OpenIdConnect;
Microsoft.Owin.Host.SystemWeb;
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies", }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = "http://192.168.0.42:10011/lym", //这里写你idrserver的地址 ClientId = "mvc", //Client 要对应 Scope = "openid profile",//Client 要对应
RedirectUri = "http://192.168.0.42:44319/", //登陆成功后的跳转地址,要对应
PostLogoutRedirectUri = "http://192.168.0.42:44319/", //如上
ClientSecret = "21B5F798-BE55-42BC-8AA8-0025B903DC3B",
ResponseType = "id_token token", //参考配置说明 还有授权码 code
SignInAsAuthenticationType = "Cookies"
});
访问站点A 就会转到SSO登陆页面如下图:
我这里自己定义的登陆界面,可以修改成自己的样式,风格,能看到登陆界面 说明这一步成功了,下一篇文章将介绍自定义登陆页面的操作