zoukankan      html  css  js  c++  java
  • asp.net core 使用identityServer4的密码模式来进行身份认证(2) 认证授权原理

    前言:本文将会结合asp.net core 认证源码来分析起认证的原理与流程。asp.net core版本2.2

    对于大部分使用asp.net core开发的人来说。

    下面这几行代码应该很熟悉了。

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                    .AddJwtBearer(options =>
                    {
                        options.RequireHttpsMetadata = false;
                        options.Audience = "sp_api";
                        options.Authority = "http://localhost:5001";
                        options.SaveToken = true;
                        
                    })         
     app.UseAuthentication();

    废话不多说。直接看 app.UseAuthentication()的源码

     public class AuthenticationMiddleware
        {
            private readonly RequestDelegate _next;
    
            public AuthenticationMiddleware(RequestDelegate next, IAuthenticationSchemeProvider schemes)
            {
                if (next == null)
                {
                    throw new ArgumentNullException(nameof(next));
                }
                if (schemes == null)
                {
                    throw new ArgumentNullException(nameof(schemes));
                }
    
                _next = next;
                Schemes = schemes;
            }
    
            public IAuthenticationSchemeProvider Schemes { get; set; }
    
            public async Task Invoke(HttpContext context)
            {
                context.Features.Set<IAuthenticationFeature>(new AuthenticationFeature
                {
                    OriginalPath = context.Request.Path,
                    OriginalPathBase = context.Request.PathBase
                });
    
                // Give any IAuthenticationRequestHandler schemes a chance to handle the request
                var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
                foreach (var scheme in await Schemes.GetRequestHandlerSchemesAsync())
                {
                    var handler = await handlers.GetHandlerAsync(context, scheme.Name) as IAuthenticationRequestHandler;
                    if (handler != null && await handler.HandleRequestAsync())
                    {
                        return;
                    }
                }
    
                var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();
                if (defaultAuthenticate != null)
                {
                    var result = await context.AuthenticateAsync(defaultAuthenticate.Name);
                    if (result?.Principal != null)
                    {
                        context.User = result.Principal;
                    }
                }
    
                await _next(context);
            }

    现在来看看var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); 干了什么。

    在这之前。我们更应该要知道上面代码中  public IAuthenticationSchemeProvider Schemes { get; set; } ,假如脑海中对这个IAuthenticationSchemeProvider类型的来源,有个清晰认识,对后面的理解会有很大的帮助

    现在来揭秘IAuthenticationSchemeProvider 是从哪里来添加到ioc的。

      public static AuthenticationBuilder AddAuthentication(this IServiceCollection services)
            {
                if (services == null)
                {
                    throw new ArgumentNullException(nameof(services));
                }
    
                services.AddAuthenticationCore();
                services.AddDataProtection();
                services.AddWebEncoders();
                services.TryAddSingleton<ISystemClock, SystemClock>();
                return new AuthenticationBuilder(services);
            }

    红色代码内部逻辑中就把IAuthenticationSchemeProvider添加到了IOC中。先来看看services.AddAuthenticationCore()的源码,这个源码的所在的解决方案的仓库地址是https://github.com/aspnet/HttpAbstractions,这个仓库目前已不再维护,其代码都转移到了asp.net core 仓库 。

    下面为services.AddAuthenticationCore()的源码

     public static class AuthenticationCoreServiceCollectionExtensions
        {
            /// <summary>
            /// Add core authentication services needed for <see cref="IAuthenticationService"/>.
            /// </summary>
            /// <param name="services">The <see cref="IServiceCollection"/>.</param>
            /// <returns>The service collection.</returns>
            public static IServiceCollection AddAuthenticationCore(this IServiceCollection services)
            {
                if (services == null)
                {
                    throw new ArgumentNullException(nameof(services));
                }
    
                services.TryAddScoped<IAuthenticationService, AuthenticationService>();
                services.TryAddSingleton<IClaimsTransformation, NoopClaimsTransformation>(); // Can be replaced with scoped ones that use DbContext
                services.TryAddScoped<IAuthenticationHandlerProvider, AuthenticationHandlerProvider>();
                services.TryAddSingleton<IAuthenticationSchemeProvider, AuthenticationSchemeProvider>();
                return services;
            }
    
            /// <summary>
            /// Add core authentication services needed for <see cref="IAuthenticationService"/>.
            /// </summary>
            /// <param name="services">The <see cref="IServiceCollection"/>.</param>
            /// <param name="configureOptions">Used to configure the <see cref="AuthenticationOptions"/>.</param>
            /// <returns>The service collection.</returns>
            public static IServiceCollection AddAuthenticationCore(this IServiceCollection services, Action<AuthenticationOptions> configureOptions) {
                if (services == null)
                {
                    throw new ArgumentNullException(nameof(services));
                }
    
                if (configureOptions == null)
                {
                    throw new ArgumentNullException(nameof(configureOptions));
                }
    
                services.AddAuthenticationCore();
                services.Configure(configureOptions);
                return services;
            }
        }

    完全就可以看待添加了一个全局单例的IAuthenticationSchemeProvider对象。现在让我们回到MiddleWare中探究Schemes.GetDefaultAuthenticateSchemeAsync(); 干了什么。光看方法的名字都能猜出就是获取的默认的认证策略。

    进入到IAuthenticationSchemeProvider 实现的源码中,按我的经验,来看先不急看GetDefaultAuthenticateSchemeAsync()里面的内部逻辑。必须的看下IAuthenticationSchemeProvider实现类的构造函数。它的实现类是AuthenticationSchemeProvider。

    先看看AuthenticationSchemeProvider的构造方法

     public class AuthenticationSchemeProvider : IAuthenticationSchemeProvider
        {
            /// <summary>
            /// Creates an instance of <see cref="AuthenticationSchemeProvider"/>
            /// using the specified <paramref name="options"/>,
            /// </summary>
            /// <param name="options">The <see cref="AuthenticationOptions"/> options.</param>
            public AuthenticationSchemeProvider(IOptions<AuthenticationOptions> options)
                : this(options, new Dictionary<string, AuthenticationScheme>(StringComparer.Ordinal))
            {
            }
    
            /// <summary>
            /// Creates an instance of <see cref="AuthenticationSchemeProvider"/>
            /// using the specified <paramref name="options"/> and <paramref name="schemes"/>.
            /// </summary>
            /// <param name="options">The <see cref="AuthenticationOptions"/> options.</param>
            /// <param name="schemes">The dictionary used to store authentication schemes.</param>
            protected AuthenticationSchemeProvider(IOptions<AuthenticationOptions> options, IDictionary<string, AuthenticationScheme> schemes)
            {
                _options = options.Value;
    
                _schemes = schemes ?? throw new ArgumentNullException(nameof(schemes));
                _requestHandlers = new List<AuthenticationScheme>();
    
                foreach (var builder in _options.Schemes)
                {
                    var scheme = builder.Build();
                    AddScheme(scheme);
                }
            }
    
            private readonly AuthenticationOptions _options;
            private readonly object _lock = new object();
    
            private readonly IDictionary<string, AuthenticationScheme> _schemes;
            private readonly List<AuthenticationScheme> _requestHandlers;

    不难看出,上面的构造方法需要一个IOptions<AuthenticationOptions> 类型。没有这个类型,而这个类型是从哪里的了?

    答:不知到各位是否记得addJwtBearer这个方法,再找个方法里面就注入了AuthenticationOptions找个类型。

    看源码把

     public static class JwtBearerExtensions
        {
            public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder)
                => builder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, _ => { });
    
            public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder, Action<JwtBearerOptions> configureOptions)
                => builder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, configureOptions);
    
            public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder, string authenticationScheme, Action<JwtBearerOptions> configureOptions)
                => builder.AddJwtBearer(authenticationScheme, displayName: null, configureOptions: configureOptions);
    
            public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder, string authenticationScheme, string displayName, Action<JwtBearerOptions> configureOptions)
            {
                builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<JwtBearerOptions>, JwtBearerPostConfigureOptions>());
                return builder.AddScheme<JwtBearerOptions, JwtBearerHandler>(authenticationScheme, displayName, configureOptions);
            }
        }

    不难通过上述代码看出它是及一个基于AuthenticationBuilder的扩展方法,而注入AuthenticationOptions的关键就在于 builder.AddScheme<JwtBearerOptions, JwtBearerHandler>(authenticationScheme, displayName, configureOptions);  这行代码,按下F12看下源码

     public virtual AuthenticationBuilder AddScheme<TOptions, THandler>(string authenticationScheme, string displayName, Action<TOptions> configureOptions)
                where TOptions : AuthenticationSchemeOptions, new()
                where THandler : AuthenticationHandler<TOptions>
                => AddSchemeHelper<TOptions, THandler>(authenticationScheme, displayName, configureOptions);    
    private AuthenticationBuilder AddSchemeHelper<TOptions, THandler>(string authenticationScheme, string displayName, Action<TOptions> configureOptions)
                where TOptions : class, new()
                where THandler : class, IAuthenticationHandler
            {
                Services.Configure<AuthenticationOptions>(o =>
                {
                    o.AddScheme(authenticationScheme, scheme => {
                        scheme.HandlerType = typeof(THandler);
                        scheme.DisplayName = displayName;
                    });
                });
                if (configureOptions != null)
                {
                    Services.Configure(authenticationScheme, configureOptions);
                }
                Services.AddTransient<THandler>();
                return this;
            }

    照旧还是分为2个方法来进行调用,其重点就是AddSchemeHelper找个方法。其里面配置AuthenticationOptions类型。现在我们已经知道了IAuthenticationSchemeProvider何使注入的。还由AuthenticationSchemeProvider构造方法中IOptions<AuthenticationOptions> options是何使配置的,这样我们就对于认证有了一个初步的认识。现在可以知道对于认证中间件,必须要有一个IAuthenticationSchemeProvider 类型。而这个IAuthenticationSchemeProvider的实现类的构造函数必须要由IOptions<AuthenticationOptions> options,没有这两个类型,认证中间件应该是不会工作的。

    回到认证中间件中。继续看var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();这句代码,源码如下

      public virtual Task<AuthenticationScheme> GetDefaultAuthenticateSchemeAsync()
                => _options.DefaultAuthenticateScheme != null
                ? GetSchemeAsync(_options.DefaultAuthenticateScheme)
                : GetDefaultSchemeAsync();
    
    
     public virtual Task<AuthenticationScheme> GetSchemeAsync(string name)
                => Task.FromResult(_schemes.ContainsKey(name) ? _schemes[name] : null);
      private Task<AuthenticationScheme> GetDefaultSchemeAsync()
                => _options.DefaultScheme != null
                ? GetSchemeAsync(_options.DefaultScheme)
    : Task.FromResult
    <AuthenticationScheme>(null);

     让我们先验证下方法1的三元表达式,应该执行那边呢?通过前面的代码我们知道AuthenticationOptions是在AuthenticationBuilder类型的AddSchemeHelper方法里面进行配置的。经过我的调试,发现方法1会走右边。其实最终还是从一个字典中取到了默认的AuthenticationScheme对象。到这里中间件的里面var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();代码就完了。最终就那到了AuthenticationScheme的对象。

    下面来看看 中间件中var result = await context.AuthenticateAsync(defaultAuthenticate.Name);这句代码干了什么。按下F12发现是一个扩展方法,还是到HttpAbstractions解决方案里面找下源码

    源码如下

     public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context, string scheme) =>
                context.RequestServices.GetRequiredService<IAuthenticationService>().AuthenticateAsync(context, scheme);

    通过上面的方法,发现是通过IAuthenticationService的AuthenticateAsync() 来进行认证的。那么现在IAuthenticationService这个类是干什么 呢?

    下面为IAuthenticationService的定义

     public interface IAuthenticationService
        {
                   Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme);
    
                   Task ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties);
    
                   Task ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties);
    
                   Task SignInAsync(HttpContext context, string scheme, ClaimsPrincipal principal, AuthenticationProperties properties);
    
                    Task SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties);
        }

     IAuthenticationService的AuthenticateAsync()方法的实现源码

    public class AuthenticationService : IAuthenticationService
        {
            /// <summary>
            /// Constructor.
            /// </summary>
            /// <param name="schemes">The <see cref="IAuthenticationSchemeProvider"/>.</param>
            /// <param name="handlers">The <see cref="IAuthenticationRequestHandler"/>.</param>
            /// <param name="transform">The <see cref="IClaimsTransformation"/>.</param>
            public AuthenticationService(IAuthenticationSchemeProvider schemes, IAuthenticationHandlerProvider handlers, IClaimsTransformation transform)
            {
                Schemes = schemes;
                Handlers = handlers;
                Transform = transform;
            }
     public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme)
            {
                if (scheme == null)
                {
                    var defaultScheme = await Schemes.GetDefaultAuthenticateSchemeAsync();
                    scheme = defaultScheme?.Name;
                    if (scheme == null)
                    {
                        throw new InvalidOperationException($"No authenticationScheme was specified, and there was no DefaultAuthenticateScheme found.");
                    }
                }
    
    
                var handler = await Handlers.GetHandlerAsync(context, scheme);
                if (handler == null)
                {
                    throw await CreateMissingHandlerException(scheme);
                }
    
    
                var result = await handler.AuthenticateAsync();
                if (result != null && result.Succeeded)
                {
                    var transformed = await Transform.TransformAsync(result.Principal);
                    return AuthenticateResult.Success(new AuthenticationTicket(transformed, result.Properties, result.Ticket.AuthenticationScheme));
                }
                return result;
            }
     

     通过构造方法可以看到这个类的构造方法需要IAuthenticationSchemeProvider类型和IAuthenticationHandlerProvider 类型,前面已经了解了IAuthenticationSchemeProvider是干什么的,取到配置的授权策略的名称,那现在IAuthenticationHandlerProvider 是干什么的,看名字感觉应该是取到具体授权策略的handler.废话补多少,看IAuthenticationHandlerProvider 接口定义把

     public interface IAuthenticationHandlerProvider
        {
            /// <summary>
            /// Returns the handler instance that will be used.
            /// </summary>
            /// <param name="context">The context.</param>
            /// <param name="authenticationScheme">The name of the authentication scheme being handled.</param>
            /// <returns>The handler instance.</returns>
            Task<IAuthenticationHandler> GetHandlerAsync(HttpContext context, string authenticationScheme);
        }

    通过上面的源码,跟我猜想的不错,果然就是取得具体的授权策略

    现在我就可以知道AuthenticationService是对IAuthenticationSchemeProvider和IAuthenticationHandlerProvider封装。最终调用IAuthentionHandel的AuthenticateAsync()方法进行认证。最终返回一个AuthenticateResult对象。

    总结,对于asp.net core的认证来水,他需要下面这几个对象

    AuthenticationBuilder      扶着对认证策略的配置与初始话

    IAuthenticationHandlerProvider AuthenticationHandlerProvider 负责获取配置了的认证策略的名称

    IAuthenticationSchemeProvider AuthenticationSchemeProvider 负责获取具体认证策略的handle

    IAuthenticationService AuthenticationService 实对上面两个Provider 的封装,来提供一个具体处理认证的入口

    IAuthenticationHandler 和的实现类,是以哦那个来处理具体的认证的,对不同认证策略的出来,全是依靠的它的AuthenticateAsync()方法。

    AuthenticateResult  最终的认证结果。

    哎写的太垃圾了。

  • 相关阅读:
    Thinking in Java——笔记(14)
    Thinking in Java——笔记(12)
    frp对http协议应用
    我收藏的连接
    linux下 .netcore 微服务注册到SpringClound
    linux 上使用libxls读和使用xlslib写excel的方法简介
    window下 ANSI Unicode utf8之间相互转换
    提取CString中的汉字及个数
    MFC通过sql访问excel的方法
    linux上安装mysql及简单的使用
  • 原文地址:https://www.cnblogs.com/wscar/p/10513851.html
Copyright © 2011-2022 走看看