IdentityServer4多个项目
[英]IdentityServer4 multiple projects
问题描述
Our solution has 3 projects. 
我们的解决方案有3个项目。 Let's call them A, B and IdentityServer. 我们称它们为A,B和IdentityServer。 Each project can work as separate service. 每个项目都可以作为单独的服务。 Projects A and B are ASP.Net MVC Project IdentityServer is .Net Core (it using IdentityServer4) 项目A和B是ASP.Net MVC项目IdentityServer是.Net Core(使用IdentityServer4)
Front-End is connected to project A. Database is connected to project B. Controllers from project A calls methods from controller of project B. And that is working fine. 前端连接到项目A。数据库连接到项目B。项目A的控制器从项目B的控制器调用方法。
We added authorization to project A, configure IdentityServer and that's working fine. 我们向项目A添加了授权,配置了IdentityServer,并且工作正常。 When front end calls methode from project A controller like this: 当前端从项目A控制器中调用methode时,如下所示:
[Authorize] public Task Methode(...) {} [授权]公共任务方法(...){}
it works OK. 它工作正常。 It redirects user to IdentityServer, ask for login and authorize him. 它将用户重定向到IdentityServer,要求登录并授权他。
But we have to secure project B too. 但是我们也必须确保项目B的安全。 When I Add [Authorize] pragma to methode from project B it fails when controller from project A tries to call that methode. 当我从项目B向方法添加[授权]编译指示时,当项目A的控制器尝试调用该方法时,它将失败。
[Authorize]
public Task<ActionResult> MethodefromServiceA()
{
//do something
//calling methode from service B and sending User as ClaimsPrincipal
}
[Authorize]
public Task<ActionResult> MethodefromServiceB()
{
//it fails here - don't enter to this line (it enter's here when I remove [Authorise] pragma
}
We don't know exactly how to configure IdentityServer4 and Project B that when project B controller get claims and token from project A it should somehow connect with IdentityServer and authorise a token (but not user, because he is already authorized and we have token). 我们不知道如何配置IdentityServer4和Project B,即当项目B控制器从项目A获得索偿和令牌时,它应该以某种方式与IdentityServer连接并授权令牌(但不是用户,因为他已经被授权并且我们有令牌) 。
In Configuration.cs in IdentityServer we have something like this: 在IdentityServer的Configuration.cs中,我们具有以下内容:
new Client {
ClientId = "A",
ClientName = "A",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"customAPI.write",
"customAPI.read"
},
RedirectUris = new List<string> {"http://localhost:64898"},
PostLogoutRedirectUris = new List<string> { "http://localhost:64898/home/welcome" }
},
new Client {
ClientId = "B",
ClientName = "B",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"customAPI.write",
"customAPI.read"
},
RedirectUris = new List<string> {"http://localhost:57028"},
PostLogoutRedirectUris = new List<string> { "http://localhost:57028" }
},
and in Startup in project A: 在项目A的启动中:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "A",
Authority = "https://localhost:44350/",
RedirectUri = "http://localhost:64898",
ResponseType = "id_token",
Scope = "openid email",
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
PostLogoutRedirectUri = "http://localhost:64898/home/welcome",
});
I tried add similar to project B, but it doesn't change anything. 我尝试添加类似于项目B的项目,但它没有任何改变。
I will be glad If I could find some example how to do multiproject authorization with IdentityServer4. 如果能找到一些示例如何使用IdentityServer4进行多项目授权,我将感到高兴。 How to authorize token in each project, etc... Does [Authorize] pragma solve situation like this or it has to be done in different way or manualy? 如何在每个项目中对令牌进行授权,等等... [Authorize]编译指示是否可以解决这种情况,还是必须以其他方式或手动进行?
Thank you for help. 谢谢你的帮助。 Sorry for my english 对不起我的英语不好
2 个解决方案
解决方案1
0 2019-02-27 13:58:32
My Idea is to add project B as resource and Project A as both Resource and Client to the Identity Server so that project A can access project B's resources using a separate token generated by the Identity Server. 我的想法是将项目B作为资源添加,将项目A作为资源和客户端添加到Identity Server,以便项目A可以使用Identity Server生成的单独令牌访问项目B的资源。 Just a suggestion. 只是一个建议。
解决方案2
0 2019-02-27 21:08:31
You need to pass an access token with the request you make from Project A to Project B. 您需要将访问令牌与您从项目A发出的请求一起传递给项目B。
HttpClient client = new HttpClient();
client.SetBearerToken(bearerTokenString);
client.SendAsync("http://projectB/MehthodB");
Both back-ends of Project A & B should have a token validation block to validate the incoming token as you probably did for Project A. 项目A和B的两个后端都应具有令牌验证块,以验证传入令牌,就像您对项目A所做的那样。
Now you could re-use the same bearer token to call the next service, but if you want an specific token for that service, you will have to request one from IdentityServer. 现在,您可以重复使用相同的承载令牌来调用下一个服务,但是如果您想要该服务的特定令牌,则必须从IdentityServer请求一个令牌。
You can request a new token from a service with client credential flow or certificate to identify Project A and to request an access token for Project B. 您可以从具有客户端凭证流或证书的服务中请求新令牌,以标识项目A并请求项目B的访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.