自检端点(官方翻译过来叫:自省端点,不太好理解,我这就叫自检端点)
IdentityServer4 有两咱token,JWT token和reference token两种令牌,自检端点是针对reference token处理的。
下面是生成reference token令牌的步骤:
1、配置服务端
new Client { ClientId = "roclient.reference", ClientSecrets = {new Secret("secret".Sha256())}, AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, AllowedScopes = { "resource1.scope1", "resource2.scope1","scope4.scope" }, AccessTokenType = AccessTokenType.Reference },
说明:大红色的代码是关键: AccessTokenType = AccessTokenType.Reference 生成的token类型为reference token。
2、配置访问范围&资源
public static readonly IEnumerable<ApiScope> ApiScopes = new[] { new ApiScope("scope4.scope"), //标记点1 };
public static readonly IEnumerable<ApiResource> ApiResources = new[] { new ApiResource("scope4.1","test scope4") //资源名称【scope4.1】会有用到,标记点3 { ApiSecrets={ new Secret("secret".Sha256())}, //资源私钥【secret】,标记点4,这是必需的 Scopes={ "scope4.scope" } //标记点2,对标记点1 }, };
3、获取token
方法1:URL地址直接获取
先取得url地址,如:http://localhost:5000/connect/token
POST /connect/token 参数用:form-data方式 client_id=roclient.reference& client_secret=secret& grant_type=password& username=bob& password=bob
使用用户密码方式获取token
这种方式获取的token会短很多,因为它只包含令牌的标识信息(不携带任何数据),令牌数据保存在服务器上
方法2:编程方式获取
static IDiscoveryCache _cache = new DiscoveryCache(“认证服务器地址”); //注入端点发现,服务器地址如:http://localhost:8112
var disco = await _cache.GetAsync(); if (disco.IsError) throw new Exception(disco.Error); var client = new HttpClient(); var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest { Address = disco.TokenEndpoint, ClientId = "roclient.reference", ClientSecret = "secret", UserName = "bob", Password = "bob", Scope = "scope4.scope" //访问范围,可选 }); if (response.IsError) throw new Exception(response.Error); return response.AccessToken;
4、使用token进行自检
方法1:URL方式
POST /connect/introspect Authorization: Basic xxxyyy token=<token> //这里的token就是accessToken
关键点: Basic xxxyyy 是什么,是资源名称和资源私钥生成为Base64编码的字符串
办法1:
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", 资源名称, 资源私钥)));
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", "scope4.1", "secret")));
办法2:postman调试
方法2:编程方式
var disco = await _cache.GetAsync(); if (disco.IsError) throw new Exception(disco.Error); var client = new HttpClient(); var result = await client.IntrospectTokenAsync(new TokenIntrospectionRequest { Address = disco.IntrospectionEndpoint, ClientId = "scope4.1", //资源名称 ClientSecret = "secret", //资源私钥 Token = accessToken }); if (result.IsError) { Console.WriteLine(result.Error); } else { if (result.IsActive) //返回看IsActive->true表示有效,false表示无效 { result.Claims.ToList().ForEach(c => Console.WriteLine("{0}: {1}", c.Type, c.Value)); } else { Console.WriteLine("token is not active"); } }
到这里自检操作完成,引用令牌还有手动注销,在另一个贴子讨论
参考资料:
https://identityserver4.readthedocs.io/en/latest/endpoints/token.html
https://identityserver4.readthedocs.io/en/latest/endpoints/introspection.html
https://identitymodel.readthedocs.io/en/latest/client/token.html
https://identitymodel.readthedocs.io/en/latest/client/introspection.html