[英]IdentityServer4 Using Client Credential Workflow with an API (Or trying to emulate OIDC calls)
我想使用 IdentityServer4 来保护使用 Windows 凭据的 API。 我在 web 应用程序中创建了一个工作示例,但尝试模仿 OIDC 调用证明很麻烦。 在文件中,似乎表明使用 API 的唯一方法是使用 ClientID 和密钥进行身份验证。 我想看看这是不是真的。 下面我将添加我目前正在尝试模拟 OIDC 工作流程的网络调用。 希望有更好的方法来解决这个问题或一组更简单的调用。 无论哪种方式,我都很感激帮助。
我调用登录端点“[GET] https://localhost:44353/Account/Login”,这将返回一个 200 OK 登录页面 HTML,更重要的是我的“.AspNetCore.Antiforgery”cookie
我使用 NTLM 身份验证调用我的挑战端点“[GET] https://localhost:44353/External/Challenge?provider=Windows”并提供我的 windows 凭据。 这将返回 401 Unauthorized 和 cookie “idsrv.external”,我认为 401 只是由于重定向,我实际上只需要 cookie。
我调用回调端点“[GET] https://localhost:44353/External/Callback”并删除我的“idsrv.external”cookie 并将 cookies 称为“idsrv.session”和“idsrv”。
我现在尝试使用我目前收到的 cookies 调用我的 API 端点“[GET] https://localhost:16385/managementservice/schema”。 这将返回给我 OIDC 权限请求页面。
我从最后一个请求的 html 中获取返回 URL 和令牌,并使用以下表格调用“[POST] https://localhost:44353/Consent” 这将返回 200 OK html 并带有一个调用“https://localhost:16385/signin-oidc”的按钮。
我可以根据需要提供更多数据或特定文件。 这只是一个起点。
编辑:我收到了提供适用文件的请求。 我的客户端应用程序是 ASP.NET 核心 API,我正在使用 postman。
身份服务器启动.cs
using IdentityModel;
using IdentityServer4;
using IdentityServer4.Quickstart.UI;
using IdentityServer4.Services;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
namespace IdentityServerTemplate
{
public class Startup
{
public IWebHostEnvironment Environment { get; }
public IConfiguration Configuration { get; }
public Startup(IWebHostEnvironment environment, IConfiguration configuration)
{
Environment = environment;
Configuration = configuration;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddHttpClient();
// configures IIS out-of-proc settings (see https://github.com/aspnet/AspNetCore/issues/14882)
services.Configure<IISOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = true;
});
// configures IIS in-proc settings
services.Configure<IISServerOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = true;
});
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
});
//.AddTestUsers(TestUsers.Users);
// in-memory, code config
builder.AddInMemoryIdentityResources(Config.Ids);
builder.AddInMemoryApiResources(Config.Apis);
builder.AddInMemoryClients(Config.Clients);
services.AddScoped<IProfileService, ADProfileService>();
// or in-memory, json config
//builder.AddInMemoryIdentityResources(Configuration.GetSection("IdentityResources"));
//builder.AddInMemoryApiResources(Configuration.GetSection("ApiResources"));
//builder.AddInMemoryClients(Configuration.GetSection("clients"));
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
services.AddAuthentication();
//.AddGoogle(options =>
//{
// options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
// // register your IdentityServer with Google at https://console.developers.google.com
// // enable the Google+ API
// // set the redirect URI to http://localhost:5000/signin-google
// options.ClientId = "copy client ID from Google here";
// options.ClientSecret = "copy client secret from Google here";
//});
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseAuthentication();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
}
身份服务器配置.cs
using IdentityModel;
using IdentityServer4.Models;
using System.Collections.Generic;
namespace IdentityServerTemplate
{
public static class Config
{
public static IEnumerable<IdentityResource> Ids =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResources.Address(),
};
public static IEnumerable<ApiResource> Apis =>
new ApiResource[]
{
// new ApiResource("api1", "My API #1")
new ApiResource("api1", "My API", new[] { JwtClaimTypes.Subject, JwtClaimTypes.Email, JwtClaimTypes.Address, "upn_custom"})
};
public static IEnumerable<Client> Clients =>
new Client[]
{
// client credentials flow client
new Client
{
ClientId = "identity.server",
ClientName = "Identity Server Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
AlwaysIncludeUserClaimsInIdToken = true,
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedScopes = { "openid", "profile", "email", "address", "api1", "upn_custom" }
},
// MVC client using code flow + pkce
new Client
{
//ClientId = "mvc",
ClientId = "mvc.code",
ClientName = "MVC Client",
// Note
AlwaysIncludeUserClaimsInIdToken = true,
AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
//RequirePkce = true,
RequirePkce = false,
//ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) },
ClientSecrets = { new Secret("secret".Sha256()) },
//RedirectUris = { "https://localhost:5003/signin-oidc" },
RedirectUris = { "https://localhost:5003/signin-oidc" },
FrontChannelLogoutUri = "https://localhost:5003/signout-oidc",
PostLogoutRedirectUris = { "https://localhost:5003/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "email", "address", "api1", "upn_custom" }
},
// MCW Appserver
new Client
{
//ClientId = "mvc",
ClientId = "mcw.appserver",
ClientName = "MCW AppServer",
// Note
AlwaysIncludeUserClaimsInIdToken = true,
AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
RequirePkce = false,
//RequirePkce = false,
//ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) },
ClientSecrets = { new Secret("secret".Sha256()) },
//RedirectUris = { "http://localhost:16835/signin-oidc" },
RedirectUris = { "https://localhost:16385/signin-oidc" },
FrontChannelLogoutUri = "https://localhost:16835/signout-oidc",
PostLogoutRedirectUris = { "https://localhost:16835/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "email", "address", "api1", "upn_custom" }
},
// MVC client using code flow + pkce
new Client
{
//ClientId = "mvc",
ClientId = "ptp.appserv",
ClientName = "PTP AppServ",
// Note
AlwaysIncludeUserClaimsInIdToken = true,
AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
//RequirePkce = true,
RequirePkce = false,
//ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) },
ClientSecrets = { new Secret("secret".Sha256()) },
//RedirectUris = { "https://localhost:30001/signin-oidc" },
RedirectUris = { "https://localhost:30001/signin-oidc" },
FrontChannelLogoutUri = "https://localhost:30001/signout-oidc",
PostLogoutRedirectUris = { "https://localhost:30001/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "email", "address", "api1", "upn_custom" }
},
// SPA client using code flow + pkce
new Client
{
ClientId = "spa",
ClientName = "SPA Client",
ClientUri = "http://identityserver.io",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RequireClientSecret = false,
RedirectUris =
{
"http://localhost:5002/index.html",
"http://localhost:5002/callback.html",
"http://localhost:5002/silent.html",
"http://localhost:5002/popup.html",
},
PostLogoutRedirectUris = { "http://localhost:5002/index.html" },
AllowedCorsOrigins = { "http://localhost:5002" },
AllowedScopes = { "openid", "profile", "api1" }
}
};
}
}
ASP.NET API 服务启动.cs
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using Tps.ManagedClaimsWell.ApplicationServer.AppServInternals;
using Tps.ManagedClaimsWell.ApplicationServer.DataAccess;
using Tps.ManagedClaimsWell.ApplicationServer.Utility;
namespace ManagedClaimsWell.ApplicationServer.Core
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.AddControllers()
.AddNewtonsoftJson();
services.AddHttpClient();
var appServSettings = new AppServSettings(Configuration);
ClaimsWellCache.Inst.Load(ClaimsWellSchemaData.Load, IdentityData.UpdateNameLastAccessed);
services.AddSingleton<IDiscoveryCache>(r =>
{
var factory = r.GetRequiredService<IHttpClientFactory>();
return new DiscoveryCache(Constants.Authority, () => factory.CreateClient());
});
//services.AddAuthentication(options =>
//{
// options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// options.DefaultChallengeScheme = IISDefaults.AuthenticationScheme;
//})
//.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
//{
// options.
// options.ExpireTimeSpan = TimeSpan.FromDays(1);
//});
services.AddAuthorization(options =>
{
options.AddPolicy("scope", policy =>
{
policy.AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.RequireClaim("scope", "api1");
});
});
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.Cookie.Name = "idsrv";
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = Constants.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "mcw.appserver";
options.ClientSecret = "secret";
// code flow + PKCE (PKCE is turned on by default)
options.ResponseType = "code";
options.UsePkce = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("api1");
////options.Scope.Add("transaction:123");
////options.Scope.Add("transaction");
options.Scope.Add("offline_access");
// not mapped by default
options.ClaimActions.MapJsonKey(JwtClaimTypes.WebSite, "website");
// keeps id_token smaller
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
options.SecurityTokenValidator = handler;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers()
.RequireAuthorization();
});
}
}
}
不知道是否是问题,但是,一个问题是您在 IdentityServer 中
app.UseIdentityServer();
app.UseAuthorization();
app.UseAuthentication();
请参阅这篇文章,了解如何配置管道。
特别是,请注意它说:
UseIdentityServer 包括对 UseAuthentication 的调用,因此不必同时拥有这两者。
正如我在评论中所说,尝试从 postman 向 /signin-oidc 发送请求可能会由于身份验证工作方式中的各种内置功能而失败。 一个问题是您没有 OpenIdConnect 处理程序期望的正确 state 参数。 它是一个随机值,每次用户尝试进行身份验证时都会更改。
您的“ASP.NET API Service Startup.cs”是“客户端”,而不是 API。 您拥有的内容是供最终用户登录的。 在这里使用 postman 没有任何意义。 API 可能应该使用 UseJwtBearer 处理程序,并且您可以使用 PostMan 和有效的访问令牌向该处理程序发送请求。
通过oidc-client登录IdentityServer4时出现InvalidOperationException
[英]InvalidOperationException when signing in to IdentityServer4 via oidc-client
使用oidc-client和IdentityServer4在不同的域中登录
[英]SignIn with oidc-client and identityServer4 in different domain
IdentityServer4 作为 Identity/api 端点和 MVC 客户端的 IdentityServer 快速入门
[英]IdentityServer4 Quickstart for IdentityServer as Identity/api endpoints and MVC client
使用 IdentityServer4 和 DataProtection API 进行令牌签名
[英]Using IdentityServer4 with DataProtection API for token signing
使用 IdentityServer4 时如何在客户端检查 access_denied?
[英]How to check access_denied on client when using IdentityServer4?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.