访问/保护Restful服务oAuth2
[英]Accessing/Securing Restful service oAuth2
问题描述
I'm trying to write a Restful service which has more than one endpoints like 
我正在尝试编写一个Restful服务,它有多个端点,例如
Assume each endpoint call is secured by a role. 假设每个端点调用均由角色保护。
- GetEmployees (Role/Claim = Employee.Readonly or Employee.Edit or Employee.Admin) GetEmployees(角色/声明= Employee.Readonly或Employee.Edit或Employee.Admin)
- AddEmployee (Role/Claim = Employee.Edit or Employee.Admin) AddEmployee(角色/声明= Employee.Edit或Employee.Admin)
- UpdateEmployee (Role/Claim = Employee.Edit or Employee.Admin) UpdateEmployee(角色/声明= Employee.Edit或Employee.Admin)
- DeleteEmployee (Role/Claim = Employee.Admin) DeleteEmployee(角色/索赔= Employee.Admin)
With Implicit flow, it is pretty straight forward just check roles claim and we are done. 借助隐式流程,只需检查角色声明就可以了。
My confusion is for client credential flow, how to map scopes to roles here? 我对客户凭证流感到困惑,如何在此处将作用域映射到角色?
1 个解决方案
解决方案1
0 已采纳 2018-01-03 20:52:33
Lets assume that you have the following situation for the Client Credentials approach: 假设您具有以下情况的“客户端凭据”方法:
var client = new TokenClient(
BaseAddress + "/connect/token",
"clientId",
"clientSecret");
var result = client.RequestClientCredentialsAsync(scope: "my.api").Result;
var accessToken = result.AccessToken;
var client = new HttpClient();
client.SetBearerToken(accessToken);
var result = client.GetStringAsync("https://protectedapiaddress/api/data/getdata").Result;
Where BaseAddress is your IDS address. 其中BaseAddress是您的IDS地址。
Of course you will have to register your client in the IDS clients list with the appropriate flow (Client Credentials), and the scope is just optional, but I guess you will need one. 当然,您将必须使用适当的流程(客户端凭据)在IDS客户端列表中注册您的客户端,并且范围是可选的,但是我想您将需要一个。
Then on the API side you can use the newly Policy-based authorization . 然后在API端,您可以使用新的基于策略的授权 。
API method: API方法:
[HttpGet]
[Authorize(Policy = "AdminUser")]
[Route("getdata")]
public Data GetData()
{
// some code here
}
And the Authorization Requirement: 以及授权要求:
public class AdminUserRequirement : AuthorizationHandler<AdminUserRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AdminUserRequirement requirement)
{
if (!context.User.HasClaim(<'Your rule'>))
{
context.Fail();
}
else
{
context.Succeed(requirement);
}
return Task.FromResult(0);
}
}
In the claims you will have 在索赔中,您将拥有
{
"scope" : "my.api"
"clientId" : "clientId"
}
and more. 和更多。 And then you can apply the rules. 然后您可以应用规则。
EDIT : Forgot to mention - you have to register the policies in your Startup.cs 编辑 :忘记提及-您必须在Startup.cs中注册策略
public void ConfigureServices(IServiceCollection services)
{
services
.AddMvcCore()
.AddAuthorization(options =>
{
options.AddPolicy("AdminUser",
policy => policy.Requirements.Add(new AdminUserRequirement()));
});
// More code here
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.