IdentityServer4专题之七:Authorization Code认证模式

(1)identityserver4授权服务器端

public static class Config

    {

       public static IEnumerable<IdentityResource> GetIdentityResources()

        {

            return new IdentityResource[]

            {

                new IdentityResources.OpenId(),

                new IdentityResources.Profile(),

                new IdentityResources.Email(),

                new IdentityResources.Phone(),

                new IdentityResources.Address(),

            };

        }

        public static IEnumerable<ApiResource> GetApis()

        {

            return new ApiResource[]

            {

                new ApiResource("api1", "My API #1")

            };

        }

        public static IEnumerable<Client> GetClients()

        {

            return new[]

            {              

                new Client

                {

                    ClientId="mvc client",

                    ClientName="ASP.NET Core MVC Client",

                    AllowedGrantTypes=GrantTypes.CodeAndClientCredentials,

                    ClientSecrets={new Secret( "mvc secret".Sha256())},

                    RedirectUris={"http://localhost:5002/signin-oidc"},

                    FrontChannelLogoutUri="http://localhost:5002/signout-oidc",

                    PostLogoutRedirectUris={"http://localhost:5002/signout-callback-oidc"},

                    AlwaysIncludeUserClaimsInIdToken=true,//将用户所有的claims包含在IdToken内

                    AllowOfflineAccess=true,//offline_access,其实指的是能否用refreshtoken重新申请令牌

                    AllowedScopes =

                    {

                        "api1",

                        IdentityServerConstants.StandardScopes.OpenId,

                        IdentityServerConstants.StandardScopes.Profile,

                        IdentityServerConstants.StandardScopes.Address,

                        IdentityServerConstants.StandardScopes.Phone,

                        IdentityServerConstants.StandardScopes.Email

                    }

                }             

            };

        }

   }

 

(2)客户端,还是需要安装IdentityModel库,

startup.csConfigurServices一节,需要做如下添加

//关闭默认映射,否则它可能修改从授权服务返回的各种claim属性

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();    

//添加认证服务,并设置其有关选项

       services.AddAuthentication(options =>

            {

//客户端应用设置使用"Cookies"进行认证

                options.DefaultScheme =CookieAuthenticationDefaults.AuthenticationScheme ;   

//identityserver4设置使用"oidc"进行认证

             options.DefaultChallengeScheme =OpenIdConnectDefaults.AuthenticationScheme ;

            }).AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)

//对使用的OpenIdConnect进行设置,此设置与Identityserver的config.cs中相应client配置一致才可能登录授权成功

            .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options=> {

                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                options.Authority = "http://localhost:5000";

                options.RequireHttpsMetadata = false;

                options.ClientId = "mvc client";

                options.ClientSecret = "mvc secret";

                options.SaveTokens = true;

                options.ResponseType = "code";

 

                options.Scope.Clear();

                options.Scope.Add("api1");

                options.Scope.Add(OidcConstants.StandardScopes.OpenId);//"openid"

                options.Scope.Add(OidcConstants.StandardScopes.Profile);//"profile"

                options.Scope.Add(OidcConstants.StandardScopes.Address);

                options.Scope.Add(OidcConstants.StandardScopes.Email);

                options.Scope.Add(OidcConstants.StandardScopes.Phone);

// 与identity server的AllowOfflineAccess=true,对应。offline_access,指的是能否用refreshtoken重新申请令牌

                options.Scope.Add(OidcConstants.StandardScopes.OfflineAccess);               

            });

Confiure一节,app.UseMvc之前添加如下内容:

app.UseAuthentication();

然后,在controller中使用时,按如下方式:    通常需如下引用

using System;

using System.Collections.Generic;

using System.Diagnostics;

using System.Linq;

using System.Net.Http;

using System.Threading.Tasks;

using IdentityModel.Client;

using Microsoft.AspNetCore.Authentication;

using Microsoft.AspNetCore.Authentication.Cookies;

using Microsoft.AspNetCore.Authentication.OpenIdConnect;

using Microsoft.AspNetCore.Authorization;

using Microsoft.AspNetCore.Mvc;

using Microsoft.IdentityModel.Protocols.OpenIdConnect;

using MvcClient.Models;

 

//获取AccessToken、IdToken、RefreshToken时:

[Authorize]

        public async Task<IActionResult> Privacy()

        {

            var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);

            var idToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.IdToken);

            var refreshToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);

            var authorizationCode = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.Code);

            ViewData["idToken"] = idToken;

            ViewData["refreshToken"] = refreshToken;

            ViewData["accessToken"] = accessToken; 

            return View();

        }

 

//访问Api资源时

public async Task<IActionResult> AccessApi()

        {

            var client = new HttpClient();

            var disco = await client.GetDiscoveryDocumentAsync("http://localhost:5000");

            ViewData["disco"] = disco.Error;

            if (disco.IsError)

            {

                ViewData["disco"] = disco.Error;

                return View();

            }

            var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);

            client.SetBearerToken(accessToken);

            var response = await client.GetAsync("http://localhost:5001/api/values");

            if (!response.IsSuccessStatusCode)

            {

                ViewData["response_error"] = response.StatusCode;

                return View();

            }

            ViewData["response-content"] = await response.Content.ReadAsStringAsync();

            return View();

        }

 

 

       从客户端及identityserver4登出时:

        public async Task<IActionResult> Logout()

        {

            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);

            return View();

        }

如果登出需要跳转回到客户端应用网站,则需在将IdentityServer4的命名空间IdentityServer4.Quickstart.UI下的AccountOptions类中

public static bool AutomaticRedirectAfterSignOut = true; 

这样,从identityserver登出后,将自动跳转到客户应用页面。

 

posted @ 2019-05-15 12:43  Hellozhu  阅读(1451)  评论(0编辑  收藏  举报