Core篇——初探IdentityServer4(OpenID Connect客户端验证)
目录
1、Oauth2协议授权码模式介绍
2、IdentityServer4的OpenID Connect客户端验证简单实现
Oauth2协议授权码模式介绍
- 授权码模式是Oauth2协议中最严格的认证模式,它的组成以及运行流程是这样
1、用户访问客户端,客户端将用户导向认证服务器
2、用户在认证服务器输入用户名密码选择授权,认证服务器认证成功后,跳转至一个指定好的"跳转Url",同时携带一个认证码。
3、用户携带认证码请求指定好的"跳转Url"再次请求认证服务器(这一步后台完成,对用户不可见),此时,由认证服务器返回一个Token
4、客户端携带token请求用户资源
- OpenId Connect运行流程为
1、用户访问客户端,客户端将用户导向认证服务器
2、用户在认证服务器输入用户名密码认证授权
3、认证服务器返回token和资源信息
IdentityServer4的OpenID Connect客户端验证简单实现
Server部分
- 添加一个Mvc项目,配置Config.cs文件
-
Config
1 public class Config 2 { 3 //定义要保护的资源(webapi) 4 public static IEnumerable<ApiResource> GetApiResources() 5 { 6 return new List<ApiResource> 7 { 8 new ApiResource("api1", "My API") 9 }; 10 } 11 //定义可以访问该API的客户端 12 public static IEnumerable<Client> GetClients() 13 { 14 return new List<Client> 15 { 16 new Client 17 { 18 ClientId = "mvc", 19 // no interactive user, use the clientid/secret for authentication 20 AllowedGrantTypes = GrantTypes.Implicit, //简化模式 21 // secret for authentication 22 ClientSecrets = 23 { 24 new Secret("secret".Sha256()) 25 }, 26 RequireConsent =true, //用户选择同意认证授权 27 RedirectUris={ "http://localhost:5001/signin-oidc" }, //指定允许的URI返回令牌或授权码(我们的客户端地址) 28 PostLogoutRedirectUris={ "http://localhost:5001/signout-callback-oidc" },//注销后重定向地址 参考https://identityserver4.readthedocs.io/en/release/reference/client.html 29 LogoUri="https://ss1.bdstatic.com/70cFuXSh_Q1YnxGkpoWK1HF6hhy/it/u=3298365745,618961144&fm=27&gp=0.jpg", 30 // scopes that client has access to 31 AllowedScopes = { //客户端允许访问个人信息资源的范围 32 IdentityServerConstants.StandardScopes.Profile, 33 IdentityServerConstants.StandardScopes.OpenId, 34 IdentityServerConstants.StandardScopes.Email, 35 IdentityServerConstants.StandardScopes.Address, 36 IdentityServerConstants.StandardScopes.Phone 37 } 38 } 39 }; 40 } 41 public static List<TestUser> GeTestUsers() 42 { 43 return new List<TestUser> 44 { 45 new TestUser 46 { 47 SubjectId = "1", 48 Username = "alice", 49 Password = "password" 50 }, 51 new TestUser 52 { 53 SubjectId = "2", 54 Username = "bob", 55 Password = "password" 56 } 57 }; 58 } 59 //openid connect 60 public static IEnumerable<IdentityResource> GetIdentityResources() 61 { 62 return new List<IdentityResource> 63 { 64 new IdentityResources.OpenId(), 65 new IdentityResources.Profile(), 66 new IdentityResources.Email() 67 }; 68 } 69 }
- 添加几个ViewModel 用来接收解析跳转URL后的参数
-
ViewModel
1 public class InputConsentViewModel 2 { 3 public string Button { get; set; } 4 public IEnumerable<string> ScopesConsented { get; set; } 5 6 public bool RemeberConsent { get; set; } 7 public string ReturnUrl { get; set; } 8 } 9 //解析跳转url后得到的应用权限等信息 10 public class ConsentViewModel:InputConsentViewModel 11 { 12 public string ClientId { get; set; } 13 public string ClientName { get; set; } 14 public string ClientUrl { get; set; } 15 public string ClientLogoUrl { get; set; } 16 public IEnumerable<ScopeViewModel> IdentityScopes { get; set; } 17 public IEnumerable<ScopeViewModel> ResourceScopes { get; set; } 18 } 19 //接收Scope 20 public class ScopeViewModel 21 { 22 public string Name { get; set; } 23 public string DisplayName { get; set; } 24 public string Description { get; set; } 25 public bool Emphasize { get; set; } 26 public bool Required { get; set; } 27 public bool Checked { get; set; } 28 } 29 public class ProcessConsentResult 30 { 31 public string RedirectUrl { get; set; } 32 public bool IsRedirectUrl => RedirectUrl != null; 33 public string ValidationError { get; set; } 34 public ConsentViewModel ViewModel { get; set; } 35 }