[英]Implementing own auth/identity service
So I've been reading up a lot about authorisation and authentication.. and now I'm confused as i'm not sure what would be the best and appropriate tools to use. 因此,我已经阅读了很多有关授权和身份验证的内容..现在我感到困惑,因为我不确定将使用哪种最佳和合适的工具。
Let me give you a little bit of a background. 让我给你一点背景。
I'm trying to create a multi-tenant application which would consist of 3 services, these are: 我正在尝试创建一个包含3个服务的多租户应用程序,它们是:
The problems i'm experiencing with creating an identity service are: 我在创建身份服务时遇到的问题是:
I've thought about using Identity Server 4
but I don't like the idea of not being able to customize your own routes for endpoints. 我曾考虑过使用
Identity Server 4
但是我不喜欢无法为端点自定义路由的想法。 Atleast, creating my own service would allow me such customization should I require to change logic in the future. 至少,如果我将来需要更改逻辑,则创建自己的服务将允许我进行此类自定义。
So far, I've created the ability to request an access token with the below code: 到目前为止,我已经创建了使用以下代码请求访问令牌的功能:
[HttpPost]
public async Task<IActionResult> Token([FromHeader(Name = "client_id")] string tenantId, [FromBody] LoginRequest request)
{
var applicationUser = await _userManager.GetUserAsync(tenantId, request.email);
var result = await _signInManager.PasswordSignInAsync(applicationUser, request.password, true, false);
var claimsIdentity = new ClaimsIdentity(new Claim[]
{
new Claim("userId", applicationUser.Id),
new Claim("tenantId", tenantId),
new Claim("email", request.email)
});
// Add claims of the user from the data soruce
claimsIdentity.AddClaims(await _userManager.GetClaimsAsync(applicationUser));
var key = Encoding.ASCII.GetBytes("3ce1637ed40041cd94d4853d3e766c4d");
var token = new JwtSecurityToken(
claims: claimsIdentity.Claims,
expires: DateTime.Now.AddMinutes(1),
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
);
var jwtToken = new JwtSecurityTokenHandler().WriteToken(token);
return Ok(new LoginResponse { AccessToken = new AccessToken { Token = token, ExpiresIn = 200 }});
}
Again, because I'm new to authorisation and authentication I'm not sure whether my request token call should demand a grant_type
? 同样,由于我不
grant_type
授权和身份验证,因此不确定我的请求令牌调用是否应要求grant_type
?
I'm not sure whether the tenantId provided from the request header should be a client_secret
我不确定从请求标头提供的tenantId是否应为
client_secret
And, I'm not sure what sort of information should be encrypted into a refresh_token
before being given to the user and stored against the user. 而且,我不确定在将哪种信息提供给用户并针对用户进行存储之前,应将其加密为
refresh_token
。
Honestly, any advice would be helpful right now as I've been stuck for days. 老实说,由于我已经被困了好几天,任何建议现在都将是有帮助的。 If you have any suggestions on what should be done or what tools to use then please let me know
如果您对应该做什么或使用什么工具有任何建议,请告诉我
as you are saying it's a multi tenant application with different roles, I think the best choice will be the identity server 4. 正如您所说的是一个具有不同角色的多租户应用程序,我认为最好的选择是身份服务器4。
you can customize it as per your needs and there is lot of help available online to setup 您可以根据自己的需要进行自定义,在线提供了很多帮助
writing your own authentication is a bad idea 编写自己的身份验证是一个坏主意
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.