[英]IdentityServer4 LocalApi with custom policy in .NET Core 3.1
I'm trying to use the "LocalApi" feature of IdentityServer4 with some custom Policies.我正在尝试将 IdentityServer4 的“LocalApi”功能与一些自定义策略一起使用。
I have an API (hosted on the same application instance as IdentityServer4) that is divided into three parts (Server, Manager, Product) and for three clients (Server, Manager, Product).我有一个 API(托管在与 IdentityServer4 相同的应用程序实例上),它分为三个部分(服务器、管理器、产品)和三个客户端(服务器、管理器、产品)。 Client can only call the devoted part of the API and I would do this with Policies based on scopes.客户端只能调用 API 的专用部分,我会使用基于范围的策略来做到这一点。
So I have the following:所以我有以下几点:
Starup:启动:
services.AddLocalApiAuthentication(); // Add API hosted on same application than IdentityServer
services.AddAuthorization(options =>
{
options.AddPolicy("Manager", policy =>
{
//policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiManagerScopeOptions:Name"));
policy.RequireClaim("scope", "local_api_manager_scope");
policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
});
options.AddPolicy("Server", policy =>
{
//policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiServerScopeOptions:Name"));
policy.RequireClaim("scope", "local_api_server_scope");
policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
});
options.AddPolicy("Product", policy =>
{
//policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiProductScopeOptions:Name"));
policy.RequireClaim("scope", "local_api_product_scope");
policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
});
});
And my ApiResource还有我的 ApiResource
new ApiResource
{
Name = IdentityServerConstants.LocalApi.ScopeName,
Scopes =
{
new Scope()
{
Name = IdentityServerConstants.LocalApi.ScopeName,
DisplayName = IdentityServerConstants.LocalApi.ScopeName,
},
new Scope()
{
Name = "local_api_product_scope",
DisplayName = echinoLoginApiProductScopeOptions.DisplayName,
UserClaims = echinoLoginApiProductScopeOptions.UserClaims
},
new Scope()
{
Name = "local_api_manager_scope",
DisplayName = echinoLoginApiManagerScopeOptions.DisplayName,
UserClaims = echinoLoginApiManagerScopeOptions.UserClaims
},
new Scope()
{
Name = "local_api_server_scope",
DisplayName = echinoLoginApiServerScopeOptions.DisplayName,
UserClaims = echinoLoginApiServerScopeOptions.UserClaims
}
}
}
And finally my server client最后我的服务器客户端
new Client
{
ClientId = echinoServerOptions.Id,
ClientName = echinoServerOptions.Name,
ClientSecrets =
{
new Secret(echinoServerOptions.Secret.Sha256())
},
AllowedGrantTypes = GrantTypes.ClientCredentials,
//AllowedScopes = AddLocalApiScope(echinoServerOptions.AllowedScopes)
AllowedScopes = { "IdentityServerApi", "server_scope", "local_api_server_scope" }
},
So in my controller I use [Authorize(Policy = "Server")] but I always have an authentication failed.所以在我的控制器中我使用 [Authorize(Policy = "Server")] 但我总是有一个身份验证失败。 If I use [Authorize(LocalApi.PolicyName)] it's working but then I don't have my custom policy.如果我使用 [Authorize(LocalApi.PolicyName)] 它可以工作,但我没有自定义策略。
The payload of the JWT token is the following: JWT 令牌的负载如下:
{
"nbf": 1582632694,
"exp": 1582636294,
"iss": "https://localhost:44334",
"aud": [
"IdentityServerApi",
"EchinoLoginApi"
],
"client_id": "EchinoServer",
"scope": [
"IdentityServerApi",
"local_api_server_scope",
"server_scope"
]
}
I must be missing something but I can't found what.我一定错过了什么,但我找不到什么。
Can anybody give me a hand?有人可以帮我吗?
For local apis, you should use [Authorize(LocalApi.PolicyName)] with your custom policy together.对于本地 api,您应该将 [Authorize(LocalApi.PolicyName)] 与您的自定义策略一起使用。
[Authorize("productpolicy")]
[Authorize(LocalApi.PolicyName)]
[ApiController]
[Route("api/[controller]")]
public class ProductController : ControllerBase
{...
Or you can handle it in another way:或者你可以用另一种方式处理它:
options.AddPolicy(ClientLocalScopes.AuthenticationAuthorization, policy =>
{
policy.AddAuthenticationSchemes(IdentityServerConstants.LocalApi.AuthenticationScheme);
policy.RequireAuthenticatedUser();
// write your code here
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.