如何像自己的本地SSO应用一样创建Facebook? [英] How to create facebook like own native SSO app?

问题描述

首先，对可能的重复感到抱歉，我确定这个问题已经以多种形式多次提出，但是我找不到明确的答案或指导.

First of all, sorry for possible duplication, I'm sure this question was asked many times in many forms but I can't find clear answer or direction how to start.

我想做的是针对Android上的组织应用程序的sso，我希望它具有本地经验(没有浏览器).

What I am trying to do is sso for our organization apps on android and I want it with native experience(without browser).

我有基于identityserver4构建的oidc，并且已经在Web和移动客户端上投入生产.

I have oidc built on identityserver4 and it's already in production with web and mobile clients.

我在这里不要求实现的详细信息，只是一些参考，一个很好的示例，说明如何创建将负责身份验证和会话管理而不是浏览器的应用程序.然后，我可以创建sdk，将其安装在所有应用程序中，它们将通过此本机sso应用程序共享身份验证逻辑.就像Facebook一样

I'm not asking for implementation details here, just some reference, good example for how to create app which will be responsible for authentication and session managment instead of browser. Then I could create sdk, install it in all app and they will share authentication logic through this native sso app. Like facebook does e.g.

推荐答案

您所描述的本机体验称为资源所有者凭据授予.

What you describe as native experience is called Resource Owner Credentials Grant.

要在IdentityServer4中实现它，您需要实现IResourceOwnerPasswordValidator接口.

To implement it in IdentityServer4 you need to implement the IResourceOwnerPasswordValidator interface.

public class CustomResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
    public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        //Validate user's username and password. Insert your logic here.
        if(context.UserName == "admin" && context.Password == "admin@123")  
        context.Result = new GrantValidationResult("123", OidcConstants.AuthenticationMethods.Password);

        return Task.FromResult(0);
    }
}

然后配置IdentityServer4以使用它.

Then configure IdentityServer4 to use it.

在Startup.cs中添加以下代码

Add below code in Startup.cs

            var builder = services.AddIdentityServer()
            .AddInMemoryIdentityResources(Config.Ids)
            .AddInMemoryApiResources(Config.Apis)
            .AddInMemoryClients(Config.Clients)
            .AddResourceOwnerValidator<CustomResourceOwnerPasswordValidator>();

并配置客户端以使用资源所有者凭据授予.

            new Client
            {
                ClientId = "resourceownerclient",

                AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
                AccessTokenType = AccessTokenType.Jwt,
                AccessTokenLifetime = 3600,
                IdentityTokenLifetime = 3600,
                UpdateAccessTokenClaimsOnRefresh = true,
                SlidingRefreshTokenLifetime = 30,
                AllowOfflineAccess = true,
                RefreshTokenExpiration = TokenExpiration.Absolute,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                AlwaysSendClientClaims = true,
                Enabled = true,
                ClientSecrets=  new List<Secret> { new Secret("dataEventRecordsSecret".Sha256()) },
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId, 
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    IdentityServerConstants.StandardScopes.OfflineAccess,
                    "dataEventRecords"
                }
            }

请注意 AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials 行.

这是链接到可能是IdentityServer使用Microsoft Identity Core的实现.

Here is the link to probably IdentityServer's implementation with Microsoft Identity Core.

这是演示存储库和 查看全文