我们如何启用 SSO 身份服务器 4? [英] How we can enable SSO identity server 4?

问题描述

我应该只创建一个客户端并且我的所有应用程序都必须使用它连接到身份服务器，还是应该进行配置才能使其工作?

Should I Create only one client and all my applications must connect to the identity server using it or there is configuration should I do to make it work?

身份服务器是 Web API，授权类型是资源所有者密码".

Identity Server is Web API, grant type is "resource owner password".

推荐答案

每个应用程序都是一个客户端.但是您是否应该使用相同的 client_id 取决于您.我个人对应用程序的每个实例使用不同的 client_id.这有助于我识别实例并允许我为每个实例使用不同的秘密.而且我认为当您使用刷新令牌时，client_id 必须是唯一的.

Each application is a client. But whether you should use the same client_id is up to you. Personally I use different client_id's for each instance of an application. This helps me to identify the instance and allows me to use different secrets per instance. And I think that the client_id has to be unique when you are using refresh tokens.

SSO 是您使用 OpenId Connect (oidc) 时免费获得的.它的工作原理是因为 IdentityServer 网站上的 cookie:

SSO is something you get for free when you use OpenId Connect (oidc). It works because of a cookie on the IdentityServer website:

当用户必须登录时，用户被重定向到 IdentityServer 网站，在那里(在成功验证后)设置了一个 cookie，其中包含有关用户身份的信息.

When a user has to log in, the user is redirected to the IdentityServer website where (after succesful authentication) a cookie is set, containing information about the identity of the user.

当用户返回给客户端时(认证成功后)，客户端也会设置一个cookie.只要此身份验证 cookie 可用，用户就会登录.

When the user is returned to the client (after succesful authentication) the client will also set a cookie. As long as this authentication cookie is available, the user will be logged in.

当用户需要再次登录时，由于客户端无法对用户进行身份验证(不再)，IdentityServer 将尝试使用 IdentityServer 网站上的 cookie 中的信息来识别用户，并(如果成功)自动登录用户，跳过登录表单.

When the user needs to log in again, because the client can't authenticate the user (anymore), IdentityServer will try to identify the user with the information from the cookie on the IdentityServer website and (if succesful) automatically sign in the user, skipping the login form.

不过好像你的设置和oidc没有关系.当您说 IdentityServer 是 Web Api 时，这表明用户没有重定向到 IdentityServer 进行登录，这意味着没有机会设置 cookie.

But it seems that your setup has nothing to do with oidc. When you say that IdentityServer is a Web Api then this suggests that the user is not redirected to the IdentityServer to login, meaning that there is no opportunity to set a cookie.

资源所有者密码凭证 (ROPC) 是一种 OAuth2 授权类型.这表明用户在客户端上执行登录.

And Resource Owner Password Credentials (ROPC) is an OAuth2 grant type. This suggests that the user performs the login on the client.

为了启用 SSO，用户必须登录 IdentityServer 网站.虽然仍然可以使用 ROPC，但您最好使用推荐的授权类型之一.

In order to enable SSO, the user has to login on the IdentityServer website. While ROPC is still possible, you'd better use one of the recommended grant types.

这篇关于我们如何启用 SSO 身份服务器 4?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！