[英]Manually generate IdentityServer4 reference token and save to PersistedGrants table
我已经学习了一周的IdentityServer4 ,并成功地使用ResourceOwnedPassword流程实现了一个简单的身份验证流程。
现在,我正在按照本教程使用 IdentityServer4实施Google 身份验证
这就是我正在做的:
启动文件
public void ConfigureServices(IServiceCollection services)
{
//...
const string connectionString = @"Data Source=.\SQLEXPRESS;database=IdentityServer4.Quickstart.EntityFramework-2.0.0;trusted_connection=yes;";
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddProfileService<IdentityServerProfileService>()
.AddResourceOwnerValidator<IdentityResourceOwnerPasswordValidator>()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
{
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
};
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
});
// Add jwt validation.
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddIdentityServerAuthentication(options =>
{
// base-address of your identityserver
options.Authority = "https://localhost:44386";
options.ClaimsIssuer = "https://localhost:44386";
// name of the API resource
options.ApiName = "api1";
options.ApiSecret = "secret";
options.RequireHttpsMetadata = false;
options.SupportedTokens = SupportedTokens.Reference;
});
//...
}
** Google 控制器(用于处理从 Google 返回的令牌 **
public class GLoginController : Controller
{
#region Properties
private readonly IPersistedGrantStore _persistedGrantStore;
private readonly IUserFactory _userFactory;
private readonly IBaseTimeService _baseTimeService;
private readonly ITokenCreationService _tokenCreationService;
private readonly IReferenceTokenStore _referenceTokenStore;
private readonly IBaseEncryptionService _baseEncryptionService;
#endregion
#region Constructor
public GLoginController(IPersistedGrantStore persistedGrantStore,
IBaseTimeService basetimeService,
ITokenCreationService tokenCreationService,
IReferenceTokenStore referenceTokenStore,
IBaseEncryptionService baseEncryptionService,
IUserFactory userFactory)
{
_persistedGrantStore = persistedGrantStore;
_baseTimeService = basetimeService;
_userFactory = userFactory;
_tokenCreationService = tokenCreationService;
_referenceTokenStore = referenceTokenStore;
_baseEncryptionService = baseEncryptionService;
}
#endregion
#region Methods
[HttpGet("login")]
[AllowAnonymous]
public IActionResult Login()
{
var authenticationProperties = new AuthenticationProperties
{
RedirectUri = "/api/google/handle-external-login"
};
return Challenge(authenticationProperties, "Google");
}
[HttpGet("handle-external-login")]
//[Authorize("ExternalCookie")]
[AllowAnonymous]
public async Task<IActionResult> HandleExternalLogin()
{
//Here we can retrieve the claims
var authenticationResult = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
var principal = authenticationResult.Principal;
var emailAddress = principal.FindFirst(ClaimTypes.Email)?.Value;
if (string.IsNullOrEmpty(emailAddress))
return NotFound(new ApiMessageViewModel("Email is not found"));
// Find user by using username.
var loadUserConditions = new LoadUserModel();
loadUserConditions.Usernames = new HashSet<string> { emailAddress };
loadUserConditions.Pagination = new PaginationValueObject(1, 1);
// Find users asynchronously.
var loadUsersResult = await _userFactory.FindUsersAsync(loadUserConditions);
var user = loadUsersResult.FirstOrDefault();
// User is not defined.
if (user == null)
{
user = new User(Guid.NewGuid(), emailAddress);
user.Email = emailAddress;
user.HashedPassword = _baseEncryptionService.Md5Hash("abcde12345-");
user.JoinedTime = _baseTimeService.DateTimeUtcToUnix(DateTime.UtcNow);
user.Kind = UserKinds.Google;
user.Status = UserStatuses.Active;
//await _userFactory.AddUserAsync(user);
}
else
{
// User is not google account.
if (user.Kind != UserKinds.Google)
return Forbid("User is not allowed to access system.");
}
var token = new Token(IdentityServerConstants.TokenTypes.IdentityToken);
var userCredential = new UserCredential(user);
token.Claims = userCredential.GetClaims();
token.AccessTokenType = AccessTokenType.Reference;
token.ClientId = "ro.client";
token.CreationTime = DateTime.UtcNow;
token.Audiences = new[] {"api1"};
token.Lifetime = 3600;
return Ok();
}
#endregion
}
一切都很好,我可以得到从Google OAuth2返回的声明,使用 Google 电子邮件地址在数据库中查找用户并在他们没有任何帐户的情况下进行注册。
我的问题是:如何使用在HandleExternalLogin方法中收到的 Google OAuth2 声明来生成Reference Token ,将其保存到PersistedGrants表并返回给客户端。
这意味着当用户访问https://localhost:44386/api/google/login ,在被重定向到谷歌同意屏幕后,他们可以收到由IdentityServer4生成的access_token 、 refresh_token 。
谢谢,
AccessTokenType.Reference对TokenTypes.AccessToken有效, TokenTypes.AccessToken不是TokenTypes.IdentityToken如您的代码段所示。一般来说,遵循原始快速入门然后扩展通用代码以满足您的需要会更简单。 我现在在上面的代码片段中看到的只是您的特定内容,而不是默认部分,负责创建 IdSrv 会话并重定向回客户端。
如果您仍然喜欢手动创建令牌:
ITokenService注入您的控制器。TokenTypes.AccessToken而不是
TokenTypes.IdentityToken
var tokenHandle = await TokenService.CreateAccessTokenAsync(token); tokenHandle是PersistedGrantStore一个键
IdentityServer4:一起生成Refresh Token和ReferenceToken
[英]IdentityServer4: Generate Refresh Token and ReferenceToken Together
为什么 IdentityServer persistedgrants 中没有更新刷新令牌到期?
[英]Why is the refresh-token expiration not renewed in IdentityServer persistedgrants?
IdentityServer4 参考访问令牌有时会作为 JWT 令牌传输
[英]IdentityServer4 Reference Access Token Sometimes being transmitted as JWT Token instead
是否有任何IdentityServer4服务(而不是端点)用于令牌处理?
[英]Are there any IdentityServer4 services (not endpoints) for token handling?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.