ASP.NET WebAPI 集成 Swagger 启用 OAuth 2.0 配置问题
在 ASP.NET WebAPI 集成 Swagger 后,由于接口使用了 IdentityServer 做的认证,调试起来很不方便;看了下 Swashbuckle 的文档 ,是支持 OAuth2.0 的配置的,使用的简化模式(Implicit grant type),交互的流程如下:
Implicit Grant Type (简化模式)
参数:
- response_type:表示授权类型,此处的值固定为"token",必选项。
- client_id:表示客户端的ID,必选项。
- redirect_uri:表示重定向的URI,可选项。
- scope:表示权限范围,可选项。
- state:表示客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值。
GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
认证服务器回应客户端的URI,包含以下参数:
- access_token:表示访问令牌,必选项。
- token_type:表示令牌类型,该值大小写不敏感,必选项。
- expires_in:表示过期时间,单位为秒。如果省略该参数,必须其他方式设置过期时间。
- scope:表示权限范围,如果与客户端申请的范围一致,此项可省略。
- state:如果客户端的请求中包含这个参数,认证服务器的回应也必须一模一样包含这个参数。
HTTP/1.1 302 Found
Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
&state=xyz&token_type=example&expires_in=3600
Swagger 启用 OAuth 2.0 配置
Idrv 中配置客户端(Client)
new Client { ClientName = "Test_API_Flow", ClientId = "api_test_api_flow", Flow = Flows.Implicit, ClientUri = "https://identityserver.io", RequireConsent = true, AllowRememberConsent = true, RedirectUris = new List<string> { "http://localhost:39106/swagger/ui/o2c-html", }, AllowedCorsOrigins = new List<string> { "http://localhost:39106" }, AccessTokenLifetime = 3600, AccessTokenType = AccessTokenType.Jwt, AllowAccessToAllScopes=true },
API:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions { Authority = IdsvSetting.Authority, ValidationMode = ValidationMode.ValidationEndpoint, RequiredScopes=new List<string> {"all","user","order"}} });
/// <summary> /// 早餐控制器 /// </summary> [RoutePrefix("api/v1/breakfast")] public class BreakfastController : ApiController { private static readonly Logger logger = LogManager.GetCurrentClassLogger(); /// <summary> /// 早餐服务 /// </summary> private readonly IBreakfastService _breakfastService; /// <summary> /// 构造方法 /// </summary> /// <param name="breakfastService">早餐服务</param> public BreakfastController(IBreakfastService breakfastService) { _breakfastService = breakfastService; } #region 获得酒店关联的餐厅的酒店 /// <summary> /// 获得酒店关联的餐厅的酒店 /// </summary> /// <param name="hotelcd">酒店编号</param> /// <returns>获得酒店关联的餐厅的酒店</returns> [Authorize] [HttpGet] [Route("{hotelcd}/mapping")] public async Task<IHttpActionResult> GetXhotelBreakfastHotelMappingRequest(string hotelcd) { var response = await _breakfastService.GetXhotelBreakfastHotelMappingRequest(hotelcd); return Json(response); } #endregion } }
配置 SwaggerConfig
//https://tsso.xxx.cn/connect/authorize?response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A39106%2Fswagger%2Fui%2Fo2c-html&realm=test-realm&client_id=api_test_api_flow&scope=all%20%20&state=oauth2 c.OAuth2("oauth2") .Description("OAuth2 Implicit Grant") .Flow("implicit") .AuthorizationUrl("https://tsso.xxx.cn/connect/authorize") //.TokenUrl("https://sso.xxx.cn/connect/token") .Scopes(scopes => { scopes.Add("all", "all access to protected resources"); scopes.Add("user", "user access to protected resources"); scopes.Add("order", "order access to protected resources"); }); ...
c.OperationFilter<AssignOAuth2SecurityRequirements>(); c.EnableOAuth2Support( clientId: "api_test_api_flow", clientSecret: null, realm: "test-realm", appName: "Swagger UI" //additionalQueryStringParams: new Dictionary<string, string>() { { "foo", "bar" } } );
public class AssignOAuth2SecurityRequirements : IOperationFilter { public void Apply(Operation operation, SchemaRegistry schemaRegistry, ApiDescription apiDescription) { var actFilters = apiDescription.ActionDescriptor.GetFilterPipeline(); var allowsAnonymous = actFilters.Select(f => f.Instance).OfType<OverrideAuthorizationAttribute>().Any(); if (allowsAnonymous) return; // must be an anonymous method //var scopes = apiDescription.ActionDescriptor.GetFilterPipeline() // .Select(filterInfo => filterInfo.Instance) // .OfType<AllowAnonymousAttribute>() // .SelectMany(attr => attr.Roles.Split(',')) // .Distinct(); if (operation.security == null) operation.security = new List<IDictionary<string, IEnumerable<string>>>(); var oAuthRequirements = new Dictionary<string, IEnumerable<string>> { {"oauth2", new List<string> {"all","user","order"}} }; operation.security.Add(oAuthRequirements); } }
OK ,配置完成,点击红色的圈圈,登录成功会302到 http://localhost:39106/swagger/ui/o2c-htm 上
当然也可以退出授权:
REFER:
https://www.scottbrady91.com/Identity-Server/ASPNET-Core-Swagger-UI-Authorization-using-IdentityServer4
https://stackoverflow.com/questions/33752900/enable-oauth2-client-credentials-flow-in-swashbuckle
https://stackoverflow.com/questions/29275499/swagger-swashbuckle-oauth2-with-resource-owner-password-credentials-grant?rq=1
http://knowyourtoolset.com/2015/08/secure-web-apis-with-swagger-swashbuckle-and-oauth2-part-2/
