標籤:key 頁面 context erb 定向 lstat cep absolute play
ASP.NET Core實現OAuth2的AuthorizationCode模式授權伺服器Program.cs --> Main方法中:需要調用UseUrls設定IdentityServer4授權服務的IP地址
1 var host = new WebHostBuilder()2 .UseKestrel()3 //IdentityServer4的使用需要配置UseUrls4 .UseUrls("http://localhost:5114")5 .UseContentRoot(Directory.GetCurrentDirectory())6 .UseIISIntegration()7 .UseStartup<Startup>()8 .Build();
Startup.cs -->ConfigureServices方法中的配置:
1 //RSA:認證長度2048以上,否則拋異常 2 //配置AccessToken的加密認證 3 var rsa = new RSACryptoServiceProvider(); 4 //從設定檔擷取加密認證 5 rsa.ImportCspBlob(Convert.FromBase64String(Configuration["SigningCredential"])); 6 //配置IdentityServer4 7 services.AddSingleton<IClientStore, MyClientStore>(); //注入IClientStore的實現,可用於運行時校正Client 8 services.AddSingleton<IScopeStore, MyScopeStore>(); //注入IScopeStore的實現,可用於運行時校正Scope 9 //注入IPersistedGrantStore的實現,用於儲存AuthorizationCode和RefreshToken等等,預設實現是儲存在記憶體中,10 //如果服務重啟那麼這些資料就會被清空了,因此可實現IPersistedGrantStore將這些資料寫入到資料庫或者NoSql(Redis)中11 services.AddSingleton<IPersistedGrantStore, MyPersistedGrantStore>();12 services.AddIdentityServer()13 .AddSigningCredential(new RsaSecurityKey(rsa));14 //.AddTemporarySigningCredential() //產生臨時的加密認證,每次重啟服務都會重建15 //.AddInMemoryScopes(Config.GetScopes()) //將Scopes設定到記憶體中16 //.AddInMemoryClients(Config.GetClients()) //將Clients設定到記憶體中
Startup.cs --> Configure方法中的配置:
1 //使用IdentityServer42 app.UseIdentityServer();3 //使用Cookie模組4 app.UseCookieAuthentication(new CookieAuthenticationOptions5 {6 AuthenticationScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,7 AutomaticAuthenticate = false,8 AutomaticChallenge = false9 });Client配置
方式一:
.AddInMemoryClients(Config.GetClients()) //將Clients設定到記憶體中,IdentityServer4從中擷取進行驗證
方式二(推薦):
services.AddSingleton<IClientStore, MyClientStore>(); //注入IClientStore的實現,用於運行時擷取和校正Client
IClientStore的實現 1 public class MyClientStore : IClientStore 2 { 3 readonly Dictionary<string, Client> _clients; 4 readonly IScopeStore _scopes; 5 public MyClientStore(IScopeStore scopes) 6 { 7 _scopes = scopes; 8 _clients = new Dictionary<string, Client>() 9 {10 {11 "auth_clientid",12 new Client13 {14 ClientId = "auth_clientid",15 ClientName = "AuthorizationCode Clientid",16 AllowedGrantTypes = new string[] { GrantType.AuthorizationCode }, //允許AuthorizationCode模式17 ClientSecrets =18 {19 new Secret("secret".Sha256())20 },21 RedirectUris = { "http://localhost:6321/Home/AuthCode" },22 PostLogoutRedirectUris = { "http://localhost:6321/" },23 //AccessTokenLifetime = 3600, //AccessToken到期時間, in seconds (defaults to 3600 seconds / 1 hour)24 //AuthorizationCodeLifetime = 300, //設定AuthorizationCode的有效時間,in seconds (defaults to 300 seconds / 5 minutes)25 //AbsoluteRefreshTokenLifetime = 2592000, //RefreshToken的最大到期時間,in seconds. Defaults to 2592000 seconds / 30 day26 AllowedScopes = (from l in _scopes.GetEnabledScopesAsync(true).Result select l.Name).ToList(),27 }28 }29 };30 }31 32 public Task<Client> FindClientByIdAsync(string clientId)33 {34 Client client;35 _clients.TryGetValue(clientId, out client);36 return Task.FromResult(client);37 }38 }Scope配置
方式一:
.AddInMemoryScopes(Config.GetScopes()) //將Scopes設定到記憶體中,IdentityServer4從中擷取進行驗證
方式二(推薦):
services.AddSingleton<IScopeStore, MyScopeStore>(); //注入IScopeStore的實現,用於運行時擷取和校正Scope
IScopeStore的實現 1 public class MyScopeStore : IScopeStore 2 { 3 readonly static Dictionary<string, Scope> _scopes = new Dictionary<string, Scope>() 4 { 5 { 6 "api1", 7 new Scope 8 { 9 Name = "api1",10 DisplayName = "api1",11 Description = "My API",12 }13 },14 {15 //RefreshToken的Scope16 StandardScopes.OfflineAccess.Name,17 StandardScopes.OfflineAccess18 },19 };20 21 public Task<IEnumerable<Scope>> FindScopesAsync(IEnumerable<string> scopeNames)22 {23 List<Scope> scopes = new List<Scope>();24 if (scopeNames != null)25 {26 Scope sc;27 foreach (var sname in scopeNames)28 {29 if (_scopes.TryGetValue(sname, out sc))30 {31 scopes.Add(sc);32 }33 else34 {35 break;36 }37 }38 }39 //傳回值scopes不能為null40 return Task.FromResult<IEnumerable<Scope>>(scopes);41 }42 43 public Task<IEnumerable<Scope>> GetScopesAsync(bool publicOnly = true)44 {45 //publicOnly為true:擷取public的scope;為false:擷取所有的scope46 //這裡不做區分47 return Task.FromResult<IEnumerable<Scope>>(_scopes.Values);48 }49 }
資原始伺服器
資原始伺服器的配置在上一篇中已介紹(http://www.cnblogs.com/skig/p/6079457.html ),詳情也可參考原始碼。
測試
AuthorizationCode模式的流程圖(來自:https://tools.ietf.org/html/rfc6749):
流程實現步驟A第三方用戶端頁面簡單實現:
點擊AccessToken按鈕進行訪問授權伺服器,就是流程圖中步驟A:
1 //訪問授權伺服器2 return Redirect(OAuthConstants.AuthorizationServerBaseAddress + OAuthConstants.AuthorizePath + "?"3 + "response_type=code"4 + "&client_id=" + OAuthConstants.Clientid5 + "&redirect_uri=" + OAuthConstants.AuthorizeCodeCallBackPath6 + "&scope=" + OAuthConstants.Scopes 7 + "&state=" + OAuthConstants.State);步驟B
授權伺服器接收到請求後,會判斷使用者是否已經登陸,如果未登陸那麼跳轉到登陸頁面(如果已經登陸,登陸的一些相關資訊會儲存在cookie中):
1 /// <summary> 2 /// 登陸頁面 3 /// </summary> 4 [HttpGet] 5 public async Task<IActionResult> Login(string returnUrl) 6 { 7 var context = await _interaction.GetAuthorizationContextAsync(returnUrl); 8 var vm = BuildLoginViewModel(returnUrl, context); 9 return View(vm);10 }11 12 /// <summary>13 /// 登陸帳號驗證14 /// </summary>15 [HttpPost]16 [ValidateAntiForgeryToken]17 public async Task<IActionResult> Login(LoginInputModel model)18 {19 if (ModelState.IsValid)20 {21 //帳號密碼驗證22 if (model.Username == "admin" && model.Password == "123456")23 {24 AuthenticationProperties props = null;25 //判斷是否 記住登陸26 if (model.RememberLogin)27 {28 props = new AuthenticationProperties29 {30 IsPersistent = true,31 ExpiresUtc = DateTimeOffset.UtcNow.AddMonths(1)32 };33 };34 //參數一:Subject,可在資原始伺服器中擷取到,資原始伺服器通過User.Claims.Where(l => l.Type == "sub").FirstOrDefault();擷取35 //參數二:帳號36 await HttpContext.Authentication.SignInAsync("admin", "admin", props);37 //驗證ReturnUrl,ReturnUrl為重新導向到授權頁面38 if (_interaction.IsValidReturnUrl(model.ReturnUrl))39 {40 return Redirect(model.ReturnUrl);41 }42 return Redirect("~/");43 }44 ModelState.AddModelError("", "Invalid username or password.");45 }46 //建置錯誤資訊的LoginViewModel47 var vm = await BuildLoginViewModelAsync(model);48 return View(vm);49 }
登陸成功後,重新導向到授權頁面,詢問使用者是否授權,就是流程圖的步驟B了:
1 /// <summary> 2 /// 顯示使用者可授與權限 3 /// </summary> 4 /// <param name="returnUrl"></param> 5 /// <returns></returns> 6 [HttpGet] 7 public async Task<IActionResult> Index(string returnUrl) 8 { 9 var vm = await BuildViewModelAsync(returnUrl);10 if (vm != null)11 {12 return View("Index", vm);13 }14 15 return View("Error", new ErrorViewModel16 {17 Error = new ErrorMessage { Error = "Invalid Request" },18 });19 } 步驟C
授權成功,重新導向到redirect_uri(步驟A傳遞的)所指定的地址(第三方端),並且會把Authorization Code也設定到url的參數code中:
1 /// <summary> 2 /// 使用者授權驗證 3 /// </summary> 4 [HttpPost] 5 [ValidateAntiForgeryToken] 6 public async Task<IActionResult> Index(ConsentInputModel model) 7 { 8 //解析returnUrl 9 var request = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);10 if (request != null && model != null)11 {12 if (ModelState.IsValid)13 {14 ConsentResponse response = null;15 //使用者不同意授權16 if (model.Button == "no")17 {18 response = ConsentResponse.Denied;19 }20 //使用者同意授權21 else if (model.Button == "yes")22 {23 //設定已選擇授權的Scopes24 if (model.ScopesConsented != null && model.ScopesConsented.Any())25 {26 response = new ConsentResponse27 {28 RememberConsent = model.RememberConsent,29 ScopesConsented = model.ScopesConsented30 };31 }32 else33 {34 ModelState.AddModelError("", "You must pick at least one permission.");35 }36 }37 else38 {39 ModelState.AddModelError("", "Invalid Selection");40 }41 if (response != null)42 {43 //將授權的結果設定到identityserver中44 await _interaction.GrantConsentAsync(request, response);45 //授權成功重新導向46 return Redirect(model.ReturnUrl);47 }48 }49 //有錯誤,重新授權50 var vm = await BuildViewModelAsync(model.ReturnUrl, model);51 if (vm != null)52 {53 return View(vm);54 }55 }56 return View("Error", new ErrorViewModel57 {58 Error = new ErrorMessage { Error = "Invalid Request" },59 });60 } 步驟D
授權成功後重新導向到指定的第三方端(步驟A所指定的redirect_uri),然後這個重新導向的地址中去實現擷取AccessToken(就是由第三方端實現):
1 public IActionResult AuthCode(AuthCodeModel model) 2 { 3 GrantClientViewModel vmodel = new GrantClientViewModel(); 4 if (model.state == OAuthConstants.State) 5 { 6 //通過Authorization Code擷取AccessToken 7 var client = new HttpClientHepler(OAuthConstants.AuthorizationServerBaseAddress + OAuthConstants.TokenPath); 8 client.PostAsync(null, 9 "grant_type=" + "authorization_code" +10 "&code=" + model.code + //Authorization Code11 "&redirect_uri=" + OAuthConstants.AuthorizeCodeCallBackPath +12 "&client_id=" + OAuthConstants.Clientid +13 "&client_secret=" + OAuthConstants.Secret,14 hd => hd.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded"),15 rtnVal =>16 {17 var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal);18 vmodel.AccessToken = jsonVal.access_token;19 vmodel.RefreshToken = jsonVal.refresh_token;20 },21 fault => _logger.LogError("Get AccessToken Error: " + fault.ReasonPhrase),22 ex => _logger.LogError("Get AccessToken Error: " + ex)).Wait();23 }24 25 return Redirect("~/Home/Index?" 26 + nameof(vmodel.AccessToken) + "=" + vmodel.AccessToken + "&"27 + nameof(vmodel.RefreshToken) + "=" + vmodel.RefreshToken);28 } 步驟E
授權伺服器對步驟D請求傳遞的Authorization Code進行驗證,驗證成功產生AccessToken並返回:
其中,點擊RefreshToken進行重新整理AccessToken:
1 //重新整理AccessToken 2 var client = new HttpClientHepler(OAuthConstants.AuthorizationServerBaseAddress + OAuthConstants.TokenPath); 3 client.PostAsync(null, 4 "grant_type=" + "refresh_token" + 5 "&client_id=" + OAuthConstants.Clientid + 6 "&client_secret=" + OAuthConstants.Secret + 7 "&refresh_token=" + model.RefreshToken, 8 hd => hd.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/x-www-form-urlencoded"), 9 rtnVal =>10 {11 var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal);12 vmodel.AccessToken = jsonVal.access_token;13 vmodel.RefreshToken = jsonVal.refresh_token;14 },15 fault => _logger.LogError("RefreshToken Error: " + fault.ReasonPhrase),16 ex => _logger.LogError("RefreshToken Error: " + ex)).Wait();
點擊CallResources訪問資原始伺服器:
1 //訪問資源服務2 var client = new HttpClientHepler(OAuthConstants.ResourceServerBaseAddress + OAuthConstants.ResourcesPath);3 client.GetAsync(null,4 hd => hd.Add("Authorization", "Bearer " + model.AccessToken),5 rtnVal => vmodel.Resources = rtnVal,6 fault => _logger.LogError("CallResources Error: " + fault.ReasonPhrase),7 ex => _logger.LogError("CallResources Error: " + ex)).Wait();
點擊Logout為登出登陸:
1 //訪問授權伺服器,登出登陸2 return Redirect(OAuthConstants.AuthorizationServerBaseAddress + OAuthConstants.LogoutPath + "?"3 + "logoutId=" + OAuthConstants.Clientid);
授權伺服器的登出實現代碼:
1 /// <summary> 2 /// 登出登陸頁面(因為帳號的一些相關資訊會儲存在cookie中的) 3 /// </summary> 4 [HttpGet] 5 public async Task<IActionResult> Logout(string logoutId) 6 { 7 if (User.Identity.IsAuthenticated == false) 8 { 9 //如果使用者並未授權過,那麼返回10 return await Logout(new LogoutViewModel { LogoutId = logoutId });11 }12 //顯示登出提示, 這可以防止攻擊, 如果使用者簽署了另一個惡意網頁13 var vm = new LogoutViewModel14 {15 LogoutId = logoutId16 };17 return View(vm);18 }19 20 /// <summary>21 /// 處理登出登陸22 /// </summary>23 [HttpPost]24 [ValidateAntiForgeryToken]25 public async Task<IActionResult> Logout(LogoutViewModel model)26 {27 //清除Cookie中的授權資訊28 await HttpContext.Authentication.SignOutAsync();29 //設定User使之呈現為匿名使用者30 HttpContext.User = new ClaimsPrincipal(new ClaimsIdentity());31 Client logout = null;32 if (model != null && !string.IsNullOrEmpty(model.LogoutId))33 {34 //擷取Logout的相關資訊35 logout = await _clientStore.FindClientByIdAsync(model.LogoutId); 36 }37 var vm = new LoggedOutViewModel38 {39 PostLogoutRedirectUri = logout?.PostLogoutRedirectUris?.FirstOrDefault(),40 ClientName = logout?.ClientName,41 };42 return View("LoggedOut", vm);43 }
ASP.NET Core實現OAuth2.0的AuthorizationCode模式
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
