堆栈内存溢出
  简体   繁体   English

使用Identity Server在.Net Core Web API中授权

[英]Authorization in .Net Core Web API using Identity Server

 原文  2020-10-25 13:23:18       c#/ .net-core/ azure-web-app-service/ asp.net-core-webapi/ azure-api-management

问题描述

We have a.Net Core Web API hosted on Azure App Service and we have our own Identity Server to generate an access token.我们有一个 .Net Core Web API 托管在 Azure App Service 上,我们有自己的身份服务器来生成访问令牌。 We have added our web API to Azure API Management so all the requests to web API have to go through API Management.我们已将我们的 web API 添加到 Azure API 管理,因此所有对 web API 的请求都必须通过 88103088512 到 go 管理.

For securing API Operations, we will send access token generated by Identity Server in all the requests.为了保护 API 操作,我们将在所有请求中发送由 Identity Server 生成的访问令牌。 So We wanted to validate the access token, we have added Authentication in API Management at API operation inbound processing as shown below, because we don't want unauthorized request to be stopped at API management without hitting back end API.所以我们想要验证访问令牌,我们在 API Management at API operation inbound processing 中添加了 Authentication 如下所示,因为我们不希望未经授权的请求在 API management 停止而不回击后端 API。

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
   <openid-config url="https://<our-identity-server-URL>/.well-known/openid-configuration" />
</validate-jwt>

It is working fine, all the request without access token are throwing 401 Unauthorized Response and all requests with a valid access token are hitting Web API.它工作正常,所有没有访问令牌的请求都抛出 401 未经授权的响应,所有具有有效访问令牌的请求都命中 Web API。

Now we want to Authorize our requests by checking whether the required Scope is present in the Access token or not.现在我们想通过检查访问令牌中是否存在所需的 Scope 来授权我们的请求。 BUT Since we already Authenticating in API Management we don't want to Authenticate again in the Web API code.但是由于我们已经在 API 管理中进行了身份验证,我们不想在 Web API 代码中再次进行身份验证。 So we wrote only Authorization code in StartUp.cs file as shown below,所以我们只在 StartUp.cs 文件中编写了授权代码,如下所示,

public void ConfigureServices(IServiceCollection services)
{
       services.AddAuthentication("Bearer").AddJwtBearer("Bearer", config =>
       {
           config.Authority = "<our Identity Server URL>";
           config.TokenValidationParameters = new TokenValidationParameters()
           {
               ValidateAudience = false
           };
       });
       services.AddAuthorization(options =>
       {
           options.AddPolicy("ApiScope", policy =>
           {
              policy.RequireClaim("scope","Allow_BackEnd_Service");
           });
        });
       services.AddControllers();            
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    app.UseHttpsRedirection();
    app.UseRouting();
     //app.UseAuthentication(); (It is working only if I add this line)
    app.UseAuthorization();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

But this code is always returning 401 Unauthorized Result.但是这段代码总是返回 401 Unauthorized Result。 If I add "app.UseAuthentication();"如果我添加“app.UseAuthentication();” in the Configure Method in Startup.cs class, it is working.在 Startup.cs class 的配置方法中,它正在运行。 But we don't want to do add Authentication again in Web API.但是我们不想在Web API中再次添加Authentication。

Is it possible to do only Authorization in .net Core Web API?是否可以仅在 .net Core Web API 中进行授权? If not, If I have to add "app.UseAuthentication();", what will be latency?如果不是,如果我必须添加“app.UseAuthentication();”,会有什么延迟? will it be a performance problem?会不会是性能问题?

1 个解决方案

解决方案1
 0 已采纳  2020-10-27 08:28:41

In this case, you can directly use the required-claims in the APIM policy to validate the scope in the token.在这种情况下,您可以直接使用 APIM 策略中的required-claims来验证令牌中的scope

Sample:样本:

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
   <openid-config url="https://<our-identity-server-URL>/.well-known/openid-configuration" />
   <required-claims>
    <claim name="scp" match="any" separator=" ">
    <value>Users.Read</value>
    </claim>
    </required-claims>
</validate-jwt>

Then if the scope in my decoded token is like below, the policy will check if the Users.Read is in the scope, if it is existing, the token is valid.然后如果我的解码令牌中的 scope 如下所示,该策略将检查Users.Read是否在 scope 中,如果存在,则令牌有效。

在此处输入图像描述

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过使用JWT令牌在Web API上声明角色授权-Asp.net核心标识 - Authorization by a Claim of a Role on Web API using JWT Token- Asp.net Core Identity IdentityServer4 基于角色的 Web API 授权与 ASP.NET Core 标识 - IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity .NET 核心 Web API 身份验证和 .NET 身份 - .NET Core Web API Authentication and .NET Identity .Net Core 自定义身份验证使用 API 密钥和 Identity Server 4 - .Net Core Custom Authentication using API Keys with Identity Server 4 Web API 中的 ASP.NET 核心标识 - ASP.NET Core Identity in a Web API 如何在Net Core Web API中扩展身份 - How to extend Identity in Net Core Web API Blazor 和 Web API 解决方案中的 .NET 核心标识 - .NET Core Identity in Blazor and Web API Solution Asp.Net Core-来自其他服务器的自定义授权和身份? - Asp.Net Core - Custom Authorization and Identity from another server? 带有ASP.NET CORE 1.0的Identity Server 3身份验证/授权 - Identity Server 3 Authentication/Authorization, with ASP.NET CORE 1.0 ASP.NET 核心授权权限访问文件夹与Identity Server - ASP.NET Core authorization permission access folder with Identity Server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM