中央授权和放大器;验证端点使用AspNet.Security.OpenIdConnect.Server(OIDC) [英] Central Authorization & Authentication Endpoint Using AspNet.Security.OpenIdConnect.Server (OIDC)
问题描述
我使用Visual Studio 2015企业更新1和ASP.NET 5 RC1决赛构建在细节<所描述的这两个问题,消耗JWT令牌端点href=\"http://stackoverflow.com/questions/33401936/validating-tokens-issued-by-aspnet-security-openidconnect-server-asp-net-vnext\">here.在这种方法中,我们有一个项目,所有这一切 - 该项目采用OIDC发出令牌,智威汤逊承载认证,以验证他们,然后保卫获得使用授权属性不同的控制器 - 都在同一个项目
现在我们想通过创建一个OIDC授权和放大器重构这个解决方案;验证端点的只有的问题和验证令牌。然后我们要'N'依赖这个OIDC端点进行身份验证令牌的中央机关额外的端点。这将使我们能够站起来对我们的服务不断增长的骨干额外的端点,而无需code中的授权和放大器;验证到每一个端点。
虽然我知道如何OIDC配置为从一个端点发出令牌,它不是完全清楚我会怎么我的另一个端点指向OIDC端点令牌认证。 presently智威汤逊认证和OIDC在中间件配置方法,同时配置,所以我的所有下属网站也许猜我将有一个小片code在调用app.UseJwtBearerAuthentication只是指着智威汤逊中间件到OIDC终点?如果是这样的话还是有一点神奇的发生与使用OIDC让IdentityModel使用HTTP的app.UseJwtBearerAuthentication,所以我不清楚我是否需要这种从属服务器上也。
如何建立一个单一的OIDC授权和放任何意见;验证端点,然后有'N'下属端点指向端点JWT令牌认证将非常AP preciated。
分离授权服务器角色的资源服务器角色(即该API)是绝对有可能与ASOS。
当选择了JWT令牌(而不是默认的加密令牌),您需要确保通过调用观众正确添加到身份验证票证 ticket.SetResources ,所以智威汤逊访问令牌都可获得相应的澳元要求,包含与资源服务器相关联的标识符(即API):
公众覆盖任务GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext上下文){
VAR身份=新ClaimsIdentity(context.Options.AuthenticationScheme);
identity.AddClaim(ClaimTypes.NameIdentifier,[唯一标识符]); VAR票=新AuthenticationTicket(
新ClaimsPrincipal(身份),
新AuthenticationProperties(),
context.Options.AuthenticationScheme); //调用SetResources与资源服务器列表
//访问令牌应该发出。
ticket.SetResources(resource_server_1); //调用SetScopes与要授予的范围列表。
ticket.SetScopes(配置文件,offline_access); context.Validate(票); 返回Task.FromResult(0);
}
在您的API应用程序,你只需要设置与授权服务器使用的标识符 options.Audience 属性,它应该工作:
app.UseJwtBearerAuthentication(新JwtBearerOptions {
AutomaticAuthenticate = TRUE,
AutomaticChallenge = TRUE,
观众=resource_server_1
管理局=HTTP://本地主机:61854
});
我会呼吁app.UseJwtBearerAuthentication简单地指向JWT中间件到OIDC端点一小块code的?如果是这样的话还是有一点神奇的发生与使用OIDC让IdentityModel使用HTTP的app.UseJwtBearerAuthentication,所以我不清楚我是否需要这种从属服务器上也。
在智威汤逊承载中间件自动检索用来签名从
options.Authority属性中提到的授权服务器访问令牌中的密钥,的通过一个HTTP调用配置元数据端点:在你没有任何配置, 即使API项目从授权服务器应用分离。I am using Visual Studio 2015 Enterprise Update 1 and ASP.NET 5 rc1-final to build an endpoint that both issues and consumes JWT tokens as described in detail here. In this approach we have a single project that 'does it all' - the project uses OIDC to issue tokens, JWT bearer authentication to validate them and then guards access to various controllers using the Authorize attribute - all in the same project.
Now we would like to refactor this solution by creating an OIDC authorization & authentication endpoint that only issues and validates tokens. Then we want 'n' additional endpoints that rely on that OIDC endpoint as a central authority for authenticating tokens. This will allow us to stand up additional endpoints on our growing service backbone without having to code the authorization & authentication into every endpoint.
While I understand how to configure OIDC to issue tokens from one endpoint, it's not entirely clear how I would point my other endpoint to the OIDC endpoint for token authentication. Presently JWT authentication and OIDC are simultaneously configured in the middleware 'Configure' method so I'm guessing perhaps on all the subordinate sites I would have a small piece of code in calling app.UseJwtBearerAuthentication simply pointing the JWT middleware to the OIDC endpoint? If this is the case there's still a bit of magic taking place with the app.UseJwtBearerAuthentication that uses OIDC to allow IdentityModel to use HTTP, so I'm not clear if I would need this on the subordinate servers also.
Any advice on how to establish a single OIDC authorization & authentication endpoint and then have 'n' subordinate endpoints point to that endpoint for authentication of JWT tokens would be very much appreciated.
解决方案Separating the resource server role (i.e the API) from the authorization server role is definitely possible with ASOS.
When opting for JWT tokens (instead of the default encrypted tokens), you need to ensure the audience is correctly added to the authentication ticket by calling
ticket.SetResources, so the JWT access token gets the appropriateaudclaim, containing the identifier associated with your resource server (i.e API):public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context) { var identity = new ClaimsIdentity(context.Options.AuthenticationScheme); identity.AddClaim(ClaimTypes.NameIdentifier, "[unique identifier]"); var ticket = new AuthenticationTicket( new ClaimsPrincipal(identity), new AuthenticationProperties(), context.Options.AuthenticationScheme); // Call SetResources with the list of resource servers // the access token should be issued for. ticket.SetResources("resource_server_1"); // Call SetScopes with the list of scopes you want to grant. ticket.SetScopes("profile", "offline_access"); context.Validate(ticket); return Task.FromResult(0); }In your API app, you just have to set the
options.Audienceproperty with the identifier used in the authorization server, and it should work:app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, Audience = "resource_server_1", Authority = "http://localhost:61854" });
I would have a small piece of code in calling app.UseJwtBearerAuthentication simply pointing the JWT middleware to the OIDC endpoint? If this is the case there's still a bit of magic taking place with the app.UseJwtBearerAuthentication that uses OIDC to allow IdentityModel to use HTTP, so I'm not clear if I would need this on the subordinate servers also.
The JWT bearer middleware automatically retrieves the cryptographic key used to sign the access token from the authorization server mentioned in the
options.Authorityproperty, by making an HTTP call to the configuration metadata endpoint: you don't have to configure anything, even if the API project is separated from the authorization server app.这篇关于中央授权和放大器;验证端点使用AspNet.Security.OpenIdConnect.Server(OIDC)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
