[英]Securing thick client with IdentityServer4
I am implementing a web application with security via IS4.我正在通过 IS4 实现一个具有安全性的 Web 应用程序。 My idea is to make the actual application running local identity server also be an endpoint for managing it: modifying clients, users, and resources and what not.
我的想法是让运行本地身份服务器的实际应用程序也成为管理它的端点:修改客户端、用户和资源等等。
I don't want to separate the actual database work into a standalone API, and would prefer to keep this client thick.我不想将实际的数据库工作分离到一个独立的 API 中,并且更愿意保持这个客户端的厚度。 But this would make this webapp both a client and a protected resource.
但这将使这个 webapp 既是客户端又是受保护的资源。
How is this supposed to be implemented in terms of IS4?这应该如何根据 IS4 实施? Do I register my app as both a client and an API?
我是否将我的应用程序同时注册为客户端和 API? Is there a cleaner mechanism in IdentityServer4 for doing this sort of "self-check"?
IdentityServer4 中是否有更清洁的机制来进行这种“自检”?
You can add user management related apis into the application which running Identity Server .您可以将用户管理相关的 api 添加到运行 Identity Server 的应用程序中。 You can make use of ASP.NET Identity and EF Core to manage users/roles.
您可以使用 ASP.NET Identity 和 EF Core 来管理用户/角色。
Your client app will authenticate via identity server application , and also acquire access token for accessing the protected user management apis in IDS app .您的客户端应用程序将通过身份服务器应用程序进行身份验证,并获取访问令牌以访问 IDS 应用程序中受保护的用户管理 api。 Identity server app needs to add JWT Bearer authentication schema which accepts the api request(with token in header) , then you should add Authorize attribute to challenge the bearer authentication on the protected api controllers/actions .
身份服务器应用程序需要添加接受 api 请求的 JWT Bearer 身份验证架构(标头中带有令牌),然后您应该添加 Authorize 属性以在受保护的 api 控制器/操作上质询不记名身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.