identity 使用 reference tokens
1 在identity server上设置 client token 类型为 reference
2 配置 受保护的api 项目授权代码
修改 starup.cs 代码如下:
using IdentityModel.AspNetCore.OAuth2Introspection; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Hosting; using Microsoft.OpenApi.Models; namespace Resources_Https { public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } // This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { // nuget 安装 Microsoft.AspNetCore.Authentication.JwtBearer // jwt tokens services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme) .AddJwtBearer("Bearer", options => { options.Authority = Config.IdentityServerUri; // 设置 https options.RequireHttpsMetadata = true; options.Audience = Config.ApiName; // 支持 jwt 和 reference 两种 token // if token does not contain a dot, it is a reference token options.ForwardDefaultSelector = context => "Introspection"; }); // reference tokens services.AddAuthentication("Introspection") .AddOAuth2Introspection("Introspection", options => { options.Authority = Config.IdentityServerUri; // this maps to the API resource name and secret options.ClientId = Config.ApiName; // api 名 options.ClientSecret = Config.ApiSecret; // 配置的 api 秘钥 }); // 策略授权 services.AddAuthorization(options => { // client allowedscope 包含 client_credentials_apis.WeatherForecastController.scope 才能访问 options.AddPolicy("WeatherForecastController", policy => policy.RequireScope("client_credentials_apis.WeatherForecastController.scope") ); options.AddPolicy("IdentityUserController", policy => policy.RequireScope("client_credentials_apis.IdentityUserController.scope") ); }); services.AddControllers(); services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "Resources_Https", Version = "v1" }); }); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(); app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "Resources_Https v1")); } app.UseHttpsRedirection(); app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } } }
Config如下
public class Config { /// <summary> /// identity server 地址 /// </summary> public const string IdentityServerUri = "https://localhost:44310"; /// <summary> /// reference tokens 的 clientId /// </summary> public const string ApiName = "client_credentials_apis"; /// <summary> /// reference tokens 的 clientSecret /// </summary> public const string ApiSecret = "123456"; }
3 在 identity server 上配置 apisecret
配置 apiresource “client_credentials_apis” 的 api密钥为 "123456"
4 客户端获取token,并用token请求资源
