堆栈内存溢出
  简体   繁体   English

IdentityServer4 LocalApi 与 .NET Core 3.1 中的自定义策略

[英]IdentityServer4 LocalApi with custom policy in .NET Core 3.1

 原文  2020-02-25 12:22:05       c#/ asp.net-core/ identityserver4

问题描述

I'm trying to use the "LocalApi" feature of IdentityServer4 with some custom Policies.我正在尝试将 IdentityServer4 的“LocalApi”功能与一些自定义策略一起使用。

I have an API (hosted on the same application instance as IdentityServer4) that is divided into three parts (Server, Manager, Product) and for three clients (Server, Manager, Product).我有一个 API(托管在与 IdentityServer4 相同的应用程序实例上),它分为三个部分(服务器、管理器、产品)和三个客户端(服务器、管理器、产品)。 Client can only call the devoted part of the API and I would do this with Policies based on scopes.客户端只能调用 API 的专用部分,我会使用基于范围的策略来做到这一点。

So I have the following:所以我有以下几点:

Starup:启动:

services.AddLocalApiAuthentication(); // Add API hosted on same application than IdentityServer
services.AddAuthorization(options =>
    {
        options.AddPolicy("Manager", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiManagerScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_manager_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });

        options.AddPolicy("Server", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiServerScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_server_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });

        options.AddPolicy("Product", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiProductScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_product_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });
    });

And my ApiResource还有我的 ApiResource

new ApiResource
     {
         Name = IdentityServerConstants.LocalApi.ScopeName,
         Scopes =
         {
             new Scope()
             {
                 Name = IdentityServerConstants.LocalApi.ScopeName,
                 DisplayName = IdentityServerConstants.LocalApi.ScopeName,
             },
             new Scope()
             {
                 Name = "local_api_product_scope",
                 DisplayName = echinoLoginApiProductScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiProductScopeOptions.UserClaims
             },
             new Scope()
             {
                 Name = "local_api_manager_scope",
                 DisplayName = echinoLoginApiManagerScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiManagerScopeOptions.UserClaims
             },
             new Scope()
             {
                 Name = "local_api_server_scope",
                 DisplayName = echinoLoginApiServerScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiServerScopeOptions.UserClaims
             }
         }
     }

And finally my server client最后我的服务器客户端

new Client
     {
         ClientId = echinoServerOptions.Id,
         ClientName = echinoServerOptions.Name,

         ClientSecrets =
         {
             new Secret(echinoServerOptions.Secret.Sha256())
         },

         AllowedGrantTypes = GrantTypes.ClientCredentials,
         //AllowedScopes = AddLocalApiScope(echinoServerOptions.AllowedScopes)
         AllowedScopes = { "IdentityServerApi", "server_scope", "local_api_server_scope" }
     },

So in my controller I use [Authorize(Policy = "Server")] but I always have an authentication failed.所以在我的控制器中我使用 [Authorize(Policy = "Server")] 但我总是有一个身份验证失败。 If I use [Authorize(LocalApi.PolicyName)] it's working but then I don't have my custom policy.如果我使用 [Authorize(LocalApi.PolicyName)] 它可以工作,但我没有自定义策略。

The payload of the JWT token is the following: JWT 令牌的负载如下:

{
  "nbf": 1582632694,
  "exp": 1582636294,
  "iss": "https://localhost:44334",
  "aud": [
    "IdentityServerApi",
    "EchinoLoginApi"
  ],
  "client_id": "EchinoServer",
  "scope": [
    "IdentityServerApi",
    "local_api_server_scope",
    "server_scope"
  ]
}

I must be missing something but I can't found what.我一定错过了什么,但我找不到什么。

Can anybody give me a hand?有人可以帮我吗?

1 个解决方案

解决方案1
 2 已采纳  2020-02-25 12:34:21

For local apis, you should use [Authorize(LocalApi.PolicyName)] with your custom policy together.对于本地 api,您应该将 [Authorize(LocalApi.PolicyName)] 与您的自定义策略一起使用。

[Authorize("productpolicy")]
[Authorize(LocalApi.PolicyName)]
[ApiController]
[Route("api/[controller]")]
public class ProductController : ControllerBase
{...

Or you can handle it in another way:或者你可以用另一种方式处理它:

options.AddPolicy(ClientLocalScopes.AuthenticationAuthorization, policy =>
    {
        policy.AddAuthenticationSchemes(IdentityServerConstants.LocalApi.AuthenticationScheme);
        policy.RequireAuthenticatedUser();
// write your code here
    });

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Razor .net 核心 3.1 与 IdentityServer4 - Razor .net core 3.1 with IdentityServer4 授权属性不适用于 IdentityServer4 和 .NET Core 3.1 - Authorize attribute not working with IdentityServer4 and .NET Core 3.1 我想更新 IdentityServer4 (.NET Core 3.1) 中的用户声明 - I want to Update User Claims in IdentityServer4 (.NET Core 3.1) 如何使用托管在 .Net framework 4.6 应用程序中的登录页面对 .Net Core 3.1 上的 IdentityServer4 应用程序进行身份验证? - How to use login page hosted in .Net framework 4.6 application to authenticate for IdentityServer4 application on .Net Core 3.1? IdentityServer4 Asp.Net 核心身份 - IdentityServer4 Asp.Net Core Identity .net 核心 api 与 identityserver4 在一个项目中 - .net core api with identityserver4 in one project .Net Core IdentityServer4获取经过身份验证的用户 - .Net Core IdentityServer4 Get Authenticated User asp.net core 3 和 identityserver4 - asp.net core 3 and identityserver4 IdentityServer4 无法使用自定义用户存储添加 asp net core 身份 - IdentityServer4 can't add asp net core identity with custom user store IdentityServer4 .net core 2身份验证使用多个OpenIDConnect实例 - IdentityServer4 .net core 2 Authentication Use multiple instances of OpenIDConnect
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM