IdentityServer4 Clients
Clients 的定义
Client是指那些从 identityserver获取 token的应用
通常需要为client定义下面通用的设置
- 唯一的client id
- secret, 如果需要
- 允许交互的令牌服务(也叫做 grant type)
- 一个接收 identity 和/或 access token 的网络地址
- client 被允许访问的 一组 scope (也叫做resource)
Note 运行时,clients 通过 实现
IClientStore
调用方法得到。这使得可以从任意的数据源获取client数据,比如 config 文件或者数据库。文档中使用 in-memory 版本的 client 存储方式。通过在ConfigureService
中添加AddInmemoryClients
扩展实现。
client for service to service communication 的定义
这个场景下没有用户操作- 一个service(aka client)试图和一个API(aka scope)进行交互。
public class Clients
{
public static IEnumerable<Client> Get()
{
return new List<Client>
{
new Client
{
ClientId = "service.client",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api1", "api2.read_only" }
}
};
}
}
定义基于浏览器的JavaScript客户端(例如SPA)来对用户进行身份验证和授权Api访问
这个 client 使用叫做 implicit 的流程从 JavaScript 请求 identity 和 access token
var jsClient = new Client
{
ClientId = "js",
ClientName = "JavaScript Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost:7017/index.html" },
PostLogoutRedirectUris = { "http://localhost:7017/index.html" },
AllowedCorsOrigins = { "http://localhost:7017" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only"
}
};
定义基于服务端web应用程序(例如MVC)来对用户进行身份验证和授权Api访问
服务端(或者 本地桌面/手机)应用程序使用 hybrid flow. 这种方式最安全,因为access tokens 仅使用后台通信,而且允许刷新token
var mvcClient = new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Hybrid,
AllowOfflineAccess = true,
ClientSecrets = { new Secret("secret".Sha256()) },
RedirectUris = { "http://localhost:21402/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:21402/" },
FrontChannelLogoutUri = "http://localhost:21402/signout-oidc",
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1", "api2.read_only"
},
};
在 appsettings.json 中定义 clients
Asp.Net Core 配置文件
"IdentityServer": {
"IssuerUri": "urn:sso.company.com",
"Clients": [
{
"Enabled": true,
"ClientId": "local-dev",
"ClientName": "Local Development",
"ClientSecrets": [ { "Value": "<Insert Sha256 hash of the secret encoded as Base64 string>" } ],
"AllowedGrantTypes": [ "implicit" ],
"AllowedScopes": [ "openid", "profile" ],
"RedirectUris": [ "https://localhost:5001/signin-oidc" ],
"RequireConsent": false
}
]
}
AddInMemoryClients(configuration.GetSection("IdentityServer:Clients"))