如何使用Identity Server 4发行基于Windows身份验证的访问令牌 [英] How to issue access token based on Windows Authentication with Identity Server 4

问题描述

我的目标是保护Web API，以便客户端只能使用由IS基于Windows身份验证发布的访问令牌来对其进行访问.我完成了以下基本示例: http://docs.identityserver.io/en/release/quickstarts/1_client_credentials. html

My goal is to protect a Web API, such that it can only be accessed by a client using an access token issued by IS based on Windows authentication. I worked through this basic sample: http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html

现在，我需要扩展基本示例，以便基于Windows身份验证发布返回给客户端的访问令牌.更具体地说，我需要让用户(正在执行客户端应用程序)在请求访问令牌时针对Active Directory进行身份验证.应该怎么做?

Now, I need to extend the basic sample such that the access token returned to the client is issued based on Windows authentication. More specifically, I need to have the user (which is executing the client application) to be authenticated against Active Directory when requesting an access token. How should this be done?

我已经在快速入门( https://github.com/IdentityServer/IdentityServer4.模板)成功，其中登录基于Windows外部提供程序，但我不知道如何在我的策略中采用此功能.

I have already been running the quick start (https://github.com/IdentityServer/IdentityServer4.Templates) successfully, where the login is based on a Windows external provider, but I cannot figure out how to adopt this functionality to my strategy.

我尝试使用扩展授权( http://docs.identityserver. io/zh-CN/release/topics/extension_grants.html )，并将ValidateAsync()方法作为针对AD进行身份验证的方法，但无法使其正常工作(主要是因为HttpContext不可用).这甚至是正确的方法吗?

I tried using an Extension Grant (http://docs.identityserver.io/en/release/topics/extension_grants.html) and have the ValidateAsync() method be the one to do the authentication against AD, but could not make it work (primarily since HttpContext is not available). Is this even the correct approach?

更新

在此系统中，客户端是一个控制台应用程序(无需人工干预)，因此上下文是运行该应用程序的帐户. 我一直在运行QuickstartUI，并查看AccountController逻辑如何处理"Windows"按钮，但无法掌握如何将其与请求访问令牌结合使用.我的客户代码如下:

In this system, the client is a console application (without human interaction), thus the context is the account running the application. I have been running the QuickstartUI and see how the AccountController logic handles the "Windows" button, but cannot grasp how to combine this with requesting access tokens. My client code goes like this:

static async Task Main(string[] args)
{
  var disco = await DiscoveryClient.GetAsync("http://localhost:50010");

  var tokenClient = new TokenClient(disco.TokenEndpoint);
  var tokenResponse = await tokenClient.RequestCustomGrantAsync("CustomWindows"); // Not sure about this

  var client = new HttpClient();
  client.SetBearerToken(tokenResponse.AccessToken);

  var response = await client.GetAsync("http://localhost:50011/api/identity");
  var content = await response.Content.ReadAsStringAsync();
  Console.WriteLine(JArray.Parse(content));

  Console.ReadLine();
}

在这种情况下，我不确定如何使用TokenClient获取访问令牌.我不希望存储和使用密码，而是让IS根据AD对客户端上下文进行身份验证来发布访问令牌.如果在这种情况下必须使用隐式或混合流，该怎么办?

I am not sure how to use the TokenClient to get an access token in this case. I would prefer not to store and use passwords, but have IS issue access tokens based on authenciating the client context against AD. If implicit or hybrid flows must be used in this case, how must that be done?

推荐答案

我有相同的要求，并使用扩展授权来实现.
这是扩展授权的代码:

I had the same requirement and implemented it using an extension grant.
This is the code of the extension grant:

public class WinAuthGrantValidator : IExtensionGrantValidator
{
    private readonly HttpContext httpContext;

    public string GrantType => WinAuthConstants.GrantType;

    public WinAuthGrantValidator(IHttpContextAccessor httpContextAccessor)
    {
        httpContext = httpContextAccessor.HttpContext;
    }

    public async Task ValidateAsync(ExtensionGrantValidationContext context)
    {
        // see if windows auth has already been requested and succeeded
        var result = await httpContext.AuthenticateAsync(WinAuthConstants.WindowsAuthenticationSchemeName);
        if (result?.Principal is WindowsPrincipal wp)
        {
            context.Result = new GrantValidationResult(wp.Identity.Name, GrantType, wp.Claims);
        }
        else
        {
            // trigger windows auth
            await httpContext.ChallengeAsync(WinAuthConstants.WindowsAuthenticationSchemeName);
            context.Result = new GrantValidationResult { IsError = false, Error = null, Subject = null };
        }
    }
}

这是客户端代码:

var httpHandler = new HttpClientHandler
{
    UseDefaultCredentials = true,
};

// request token
var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret", httpHandler, AuthenticationStyle.PostValues);
var tokenResponse = await tokenClient.RequestCustomGrantAsync("windows_auth", "api1");

这篇关于如何使用Identity Server 4发行基于Windows身份验证的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！