IdentityServer: Check if scopes present in a policy for authentication in OpenId Connect
Question
I have a controller with policy based authentication:
[ApiController]
[Route("[controller]")]
[Authorize(Policy ="SomePolicy")]
public class BankController : ControllerBase
{
...
}
The Policy authtication code which says the "scope" should be either "read" or "fullaccess". See below code:
services.AddAuthorization(options =>
{
options.AddPolicy("SomePolicy", policy =>
{
policy.RequireClaim("scope", "read", "fullaccess");
});
});
"read" and "fullaccess" are ApiScopes defined on appsetting.json and from there they are fed to IdentityServer 4.
"IdentityServerSettings": {
"ApiScopes": [
{
"Name": "read"
},
{
"Name": "fullaccess"
}
],
...
}
The code is working well on postman testing.
The Problem is how to implement on OpenId Connect. All my attempts seems to fail.
I tried:
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "postman";
options.ResponseType = "code";
options.Scope.Add("read");
options.Scope.Add("fullaccess");
options.SaveTokens = true;
});
But it is not working? Please help?
1 answers
solution1
1 2021-07-20 09:14:16
I think I can share my integration steps here to help you troubleshot.
Click here to see a related blog .
First, I created a asp.net core 3.1 mvc project, and installed these packages:
<ItemGroup>
<PackageReference Include="IdentityServer4" Version="4.1.2" />
<PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="3.1.17" />
</ItemGroup>
And then add a file named Config.cs, pls note here in my project the default port is 5001 for https, see launchSetting.json:
using IdentityModel;
using IdentityServer4;
using IdentityServer4.Models;
using IdentityServer4.Test;
using System.Collections.Generic;
using System.Security.Claims;
namespace WebApplication1
{
public class Config
{
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResource
{
Name = "role",
UserClaims = new List<string> {"role"}
}
};
}
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope("api1.read", "Read Access to API #1"),
new ApiScope("api1.write", "Write Access to API #1")
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource> {
new ApiResource
{
Name = "api1",
DisplayName = "API #1",
Description = "Allow the application to access API #1 on your behalf",
Scopes = new List<string> {"api1.read", "api1.write"},
ApiSecrets = new List<Secret> {new Secret("ScopeSecret".Sha256())},
UserClaims = new List<string> {"role"}
}
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
// other clients omitted...
new Client
{
ClientId = "oidcClient",
ClientName = "Example Client Application",
ClientSecrets = new List<Secret> {new Secret("SuperSecretPassword".Sha256())}, // change me!
AllowedGrantTypes = GrantTypes.Code,
RedirectUris = new List<string> {"https://localhost:5001/signin-oidc"},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"api1.read"
},
RequirePkce = true,
AllowPlainTextPkce = false
},
new Client
{
ClientId = "oauthClient",
ClientName = "Example client application using client credentials",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {new Secret("SuperSecretPassword".Sha256())}, // change me!
AllowedScopes = new List<string> {"api1.read"}
}
};
}
public static List<TestUser> GetUsers()
{
return new List<TestUser>
{
new TestUser {
SubjectId = "5BE86359-073C-434B-AD2D-A3932222DABE",
Username = "tiny",
Password = "111",
Claims = new List<Claim> {
new Claim(JwtClaimTypes.Email, "tiny@gmail.com"),
new Claim(JwtClaimTypes.Role, "admin")
}
}
};
}
}
}
Next, we can use powershell to run a command to install default identity server 4 ui in our project for the login part. Because it will also provide a HomeController.cs, we can rename or delete the original HomeController when creating the project. Go to the root directory of the project, open powershell and run:
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IdentityServer/IdentityServer4.Quickstart.UI/main/getmain.ps1'))
Then we need to modify the startup.cs, here's my file:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpsPolicy;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Threading.Tasks;
namespace WebApplication1
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryApiScopes(Config.GetApiScopes())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetUsers());
services.AddControllersWithViews();
//If we only need to enable the token validation for api, use the code commented below
//services.AddAuthentication("Bearer")
//.AddIdentityServerAuthentication("Bearer", options =>
//{
// options.ApiName = "api1";
// options.Authority = "https://localhost:5001";
//});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("cookie")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "oidcClient";
options.ClientSecret = "SuperSecretPassword";
options.ResponseType = "code";
options.UsePkce = true;
options.ResponseMode = "query";
options.CallbackPath = "/signin-oidc"; // default redirect URI
// options.Scope.Add("oidc"); // default scope
// options.Scope.Add("profile"); // default scope
options.Scope.Add("api1.read");
options.SaveTokens = true;
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
}
Finally, let's comment the attribute [AllowAnonymous] in HomeController and add an action for privacy page:
[Authorize]
public IActionResult Privacy() => View();
we can also add a new controller to made it work like an api and add [Authorize] on that controller,eg
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace WebApplication1.Controllers
{
[Authorize]
public class HelloController : Controller
{
public string Index()
{
return "hello world";
}
}
}
Then start the program, we can see home page directly, but if we visit https://localhost:5001/hello/index , https://localhost:5001/home/privacy ,it will redirect to a sign in page, after sign in(user name and password is defined in config.cs) we can see privary page or response message.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.