简体   繁体   English


[英]Use Bearer Token Authentication for API and OpenId authentication for MVC on the same application project

I am trying to use both OpenId and Bearer token authentication on my application through Identity Server. 我试图通过Identity Server在我的应用程序上使用OpenId和Bearer令牌身份验证。

The problem currently is that once I have authenticated the user, I still need to get a bearer token to be able to call any action methods for my Asp.Net MVC application. 目前的问题是,一旦我对用户进行了身份验证,我仍然需要获得一个持有者令牌才能为我的Asp.Net MVC应用程序调用任何操作方法。

Here is my startup file for the application 这是我的应用程序启动文件

 public class Startup
     public void Configuration(IAppBuilder app)
         AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
         JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
         app.UseCookieAuthentication(new CookieAuthenticationOptions
            AuthenticationType = "Cookies"

         app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            Authority = "https://localhost:44301/identity",
            ClientId = "baseballStats",
            Scope = "openid profile roles baseballStatsApi",
            RedirectUri = "https://localhost:44300/",
            ResponseType = "id_token token",
            SignInAsAuthenticationType = "Cookies",
            UseTokenLifetime = false,
            Notifications = new OpenIdConnectAuthenticationNotifications
                SecurityTokenValidated = async n =>
                    var userInfoClient = new UserInfoClient(
                                 new Uri(n.Options.Authority + "/connect/userinfo"),

                    var userInfo = await userInfoClient.GetAsync();

                    // create new identity and set name and role claim type
                    var nid = new ClaimsIdentity(

                    userInfo.Claims.ToList().ForEach(c => nid.AddClaim(new Claim(c.Item1, c.Item2)));

                    // keep the id_token for logout
                    nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                    // add access token for sample API
                    nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));

                    // keep track of access token expiration
                    nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));

                    // add some other app specific claim
                    nid.AddClaim(new Claim("app_specific", "some data"));

                    n.AuthenticationTicket = new AuthenticationTicket(

         app.UseResourceAuthorization(new AuthorizationManager());

         app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
             Authority = "https://localhost:44301/identity",
             RequiredScopes = new[] { "baseballStatsApi" }

         var config = new HttpConfiguration();

I would like to restrict bearer token authentication to my api urls only, and use openID auth for everthing else. 我想将持有人令牌身份验证仅限于我的api URL,并使用openID身份验证来覆盖其他人。 Is there a way to do that? 有没有办法做到这一点?

Ok, I found some information on the following post 好的,我在以下帖子中找到了一些信息

https://github.com/IdentityServer/IdentityServer3/issues/487 https://github.com/IdentityServer/IdentityServer3/issues/487

The github repo that implements the concepts discussed in the link can be found here 可以在此处找到实现链接中讨论的概念的github存储库

https://github.com/B3nCr/IdentityServer-Sample/blob/master/B3nCr.Communication/Startup.cs https://github.com/B3nCr/IdentityServer-Sample/blob/master/B3nCr.Communication/Startup.cs

Basically you need to map the api url to a different configuration using app.Map(). 基本上你需要使用app.Map()将api url映射到不同的配置。 In my case, I changed my startup file to look like this. 在我的情况下,我将我的启动文件更改为这样。

 public class Startup
     public void Configuration(IAppBuilder app)
         AntiForgeryConfig.UniqueClaimTypeIdentifier = Thinktecture.IdentityServer.Core.Constants.ClaimTypes.Subject;
         JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

         app.UseCookieAuthentication(new CookieAuthenticationOptions
             AuthenticationType = "Cookies"

         var openIdConfig = new OpenIdConnectAuthenticationOptions
             Authority = "https://localhost:44301/identity",
             ClientId = "baseballStats",
             Scope = "openid profile roles baseballStatsApi",
             RedirectUri = "https://localhost:44300/",
             ResponseType = "id_token token",
             SignInAsAuthenticationType = "Cookies",                 
             UseTokenLifetime = false,
             Notifications = new OpenIdConnectAuthenticationNotifications
                 SecurityTokenValidated = async n =>
                     var userInfoClient = new UserInfoClient(
                                  new Uri(n.Options.Authority + "/connect/userinfo"),

                     var userInfo = await userInfoClient.GetAsync();

                     // create new identity and set name and role claim type
                     var nid = new ClaimsIdentity(

                     userInfo.Claims.ToList().ForEach(c => nid.AddClaim(new Claim(c.Item1, c.Item2)));

                     // keep the id_token for logout
                     nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                     // add access token for sample API
                     nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));

                     // keep track of access token expiration
                     nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));

                     // add some other app specific claim
                     nid.AddClaim(new Claim("app_specific", "some data"));

                     n.AuthenticationTicket = new AuthenticationTicket(

                     n.Request.Headers.SetValues("Authorization ", new string[] { "Bearer ", n.ProtocolMessage.AccessToken });


         app.UseResourceAuthorization(new AuthorizationManager());

         app.Map("/api", inner =>
             var bearerTokenOptions = new IdentityServerBearerTokenAuthenticationOptions
                 Authority = "https://localhost:44301/identity",
                 RequiredScopes = new[] { "baseballStatsApi" }

             var config = new HttpConfiguration();

That solved my problem. 这解决了我的问题。 I can now access the MVC pages with cookies based authentication, and call the API with bearer token authentication. 我现在可以使用基于cookie的身份验证访问MVC页面,并使用承载令牌身份验证调用API。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

粤ICP备18138465号  © 2020-2024 STACKOOM.COM