Identity Server和用于用户管理的Web API [英] Identity Server and web api for user management
问题描述
我正在为我的项目使用Identity Server3,我目前有一个受ID服务器保护的网站和api,但工作正常,但是因为我将用户存储在ID服务器数据库中,所以我无法真正更改网站上的任何用户数据,例如更改个人资料图片或任何索赔值.
I'm using Identity Server3 for my project, I currently have a website and api being protected by the Id server, this is working fine however because I'm storing the users in the Id Server database I can't really change any user's data from the website like changing the profile picture or any claim value.
为了解决这个问题,我正在考虑在IdServer上创建一个API,该API将管理用户,更改密码,检索用户或基本上更改与用户相关的任何内容,我想在使用Owin映射的IdServer所在的示例项目.
In order to solve this I'm thinking in creating an API on top of IdServer, this API will manage the users, changing a password, retrieving users or changing anything related to a user basically, I want to create this API on the sample project where I have my IdServer using Owin mapping.
现在,我的idServer在/identity路由中像这样
Right now I have my idServer in the /identity route like this
public class Startup
{
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration().MinimumLevel.Debug().WriteTo.Trace().CreateLogger();
app.Map("/identity", idserverApp =>
{
var efConfig = new EntityFrameworkServiceOptions
{
ConnectionString = "IdSvr3Config"
};
var options = new IdentityServerOptions
{
SiteName = "Identity server",
IssuerUri = ConfigurationManager.AppSettings["idserver:stsIssuerUri"],
PublicOrigin = ConfigurationManager.AppSettings["idserver:stsOrigen"],
SigningCertificate = Certificate.Get(),
Factory = Factory.Configure(efConfig),
AuthenticationOptions = AuthOptions.Configure(app),
CspOptions = new CspOptions { Enabled = false },
EnableWelcomePage=false
};
new TokenCleanup(efConfig, 3600 * 6).Start();
idserverApp.UseIdentityServer(options);
});
app.UseIdServerApi();
}
}
我的api中间件"就是这样
My api "middleware" is as this
**public static class IdServerApiExtensions
{
public static void UseIdServerApi(this IAppBuilder app, IdServerApiOptions options = null)
{
if (options == null)
options = new IdServerApiOptions();
if (options.RequireAuthentication)
{
var dic = app.Properties;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseIdentityServerBearerTokenAuthentication(
new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://localhost:44302/identity", //here is the problem, it says not found even though I already mapped idServer to /identity
RequiredScopes = new[]
{
"idserver-api"
},
ValidationMode=ValidationMode.ValidationEndpoint
});
}
var config = new HttpConfiguration();
WebApiConfig.Register(config,options.RequireAuthentication);
app.UseNinjectMiddleware(() => NinjectConfig.CreateKernel.Value);
app.UseNinjectWebApi(config);
app.Use<IdServerApiMiddleware>(options);
}
}**
我知道有可能我只是不知道将api放在同一个项目中是否是一个好主意,而且我也不知道该怎么做.
I know is possible I just don't know if it is a good idea to have the api on the same project or not and also I don't know how to do it.
- 创建此API来管理用户是否是一个好主意?如果不能,我该怎么用?
- 如何创建适当的设置以启动/api下的API,同时使用IdServer保护此api?
更新
添加 ValidationMode = ValidationMode.ValidationEndpoint 可以解决我的问题,这要归功于Scott Brady
Adding ValidationMode=ValidationMode.ValidationEndpoint, fixed my problem, thanks to Scott Brady
谢谢
推荐答案
Identity Server团队的一般建议是将任何管理页面或API作为一个单独的项目运行(
The general advice from the Identity Server team is to run any admin pages or API as a separate project (Most recent example). Best practice would be only to give your Identity Server and identity management applications access to your identity database/store.
是的,要管理用户,可以编写自己的API.其他选择是将其包含在单个MVC网站中或使用 Identity Manager 之类的东西.
To manage your users, yes, you could write your own API. Other options would be to contain it to a single MVC website or to use something like Identity Manager.
但是,仍然可以使用OWIN映射使用相同的应用程序方法.为了确保这一点,您可以使用 IdentityServer3.AccessTokenValidation 包,并使用以下代码:
You can still use the same application approach however, using the OWIN map. To secure this you could use the IdentityServer3.AccessTokenValidation package, using code such as:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["idserver:stsOrigen"],
RequiredScopes = new[] { "adminApi" },
ValidationMode = ValidationMode.ValidationEndpoint
});
这篇关于Identity Server和用于用户管理的Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!