Identity Server 4和Docker [英] Identity Server 4 and docker

问题描述

我正在尝试使用docker配置IdentityServer4，但无法使其正常运行。首先，我以身份服务器文档的客户端凭据示例为例：保护API使用客户端凭据

I'm trying to configure IdentityServer4 with docker but I cannot make it work. To get started, I took the Client Credential example of the identity server documentation: Protecting an API using Client Credentials

IdentityServer

托管在端口5000上

IdentityServer
Hosted on port 5000

WebApi

托管在端口5001上

WebApi
Hosted on port 5001

在 Configure <我的WebApi的 Startup.cs 文件的/ code>方法执行了以下操作（问题可能在这里）：

In the Configure method of the Startup.cs file of my WebApi I did the following (the problem is probably here):

 app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://web:5000",                
            RequireHttpsMetadata = false,
            ApiName = "api1"
        });

客户

和客户

Client
And the client

 // Everything is fine here...
 var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
 var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
 var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api");

 // This does not work
 var client = new HttpClient();
 client.SetBearerToken(tokenResponse.AccessToken);
 var response = await client.GetAsync("http://localhost:5001/identity");

问题可能出在我的WebApi中：

The problem is probably in my WebApi:

1）如果将权限设置为localhost：5000，则会收到内部服务器错误：无法从以下位置获取配置：' http：// localhost：5000 / .well-known / openid-configuration '，这是有道理的，因为此容器中不存在localhost：5000

1) If I set the authority to localhost:5000, I get an internal server error: "Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'" which makes sense since localhost:5000 is unknown in this container

2）如果我将权限设置为 http：// web：5000 ，则会收到授权错误： 发行人验证失败。发行人：' http：// localhost：5000 '。不匹配：validationParameters.ValidIssuer：'< a href = http：// web：5000 rel = noreferrer> http：// web：5000 '或validationParameters.ValidIssuers，这也很有意义，但我不知道是否可以更改权限名称？我还尝试在IdentityServer项目中设置 IssuerUri ，但这没有帮助

2) If I set the authority to http://web:5000 I get an authorization error: "Issuer validation failed. Issuer: 'http://localhost:5000'. Did not match: validationParameters.ValidIssuer: 'http://web:5000' or validationParameters.ValidIssuers" which also makes sense but I don't know if it's possible to change the authority name? I also tried to set the IssuerUri in the IdentityServer project but it didn't help

推荐答案

网络

假设您有两个物理计算机：C1和C2。每台机器都是docker主机。

Let's suppose you have two physical machines: C1 and C2. Each machine is a docker host.

C1运行Auth容器。

C1 runs Auth container.

C2运行WebApi容器。

C2 runs WebApi container.

当您在Auth dockerfile中公开端口5000时，地址 C1：5000 应该可以从C2 和来自WebApi容器本身。您可以选择IP而不是DNS，这没关系。而且，您应该可以对 http：// C1：5000 / .well-known / openid-configuration 发出成功的GET请求，以确保。

As you expose port 5000 in Auth dockerfile, the address C1:5000 should be accessible from C2 and from WebApi container itself. You could prefer IPs to DNS, it doesn't matter. Moreover you should be able to make a successfull GET request to http://C1:5000/.well-known/openid-configuration to be sure.

要实现该目标，可能会遇到很多网络问题。例如：
什么会阻止在Docker容器中运行的代码连接到单独服务器上的数据库？

There are a lot of network issues you could face to achieve that. For example: What would prevent code running in a Docker container from connecting to a database on a separate server?

发行人验证

发行人验证失败

Issuer validation failed

您的客户端的授权URL与Auth主机名不同。默认情况下，授权URL应等于 issuer 属性值（此属性在Identity Server自动发现文档响应中）。

Your client's authority URL differs from Auth hostname. By default, authority URL should be equal to issuer property value (this property is in Identity Server autodiscovery document response).

发行人属性值取决于客户的网络请求：

issuer property value depends on your client's web request:

GET http://127.0.0.1:6000/.well-known/openid-configuration -> "issuer": "http://127.0.0.1:6000"
GET http://localhost:6000/.well-known/openid-configuration -> "issuer": "localhost:6000"

尝试设置 IssuerUri 到开发环境的常量：

Try to set IssuerUri to a constant for a dev environment:

services.AddIdentityServer(x =>
{
    x.IssuerUri = "foo";
})

实现恒定的 issuer 值。这允许通过任何有效的URL（使用IP，计算机名或DNS）调用Identity Server：

to achieve a constant issuer value. This allowes to call Identity Server by any valid URL (using IP, machine name or DNS):

GET http://anything/.well-known/openid-configuration -> "issuer": "foo"

DiscoveryClient 还验证发出者的值。这是一个简单的等式比较：

DiscoveryClient also validates issuer value. It's a simple equality comparison:

public bool ValidateIssuerName(string issuer, string authority)
{
    return string.Equals(issuer, authority, StringComparison.Ordinal);
}

您可以通过以下方式禁用它：

You could disable it by:

DiscoveryClient.Policy.ValidateIssuerName = false;

FYI， IssuerUri 设置 ：

IssuerUri设置将出现在发现
文档和已发行的JWT令牌中的发行人名称。建议不要设置此
属性，该属性将从客户端使用的主机名
中推断发行者的名称。

IssuerUri Set the issuer name that will appear in the discovery document and the issued JWT tokens. It is recommended to not set this property, which infers the issuer name from the host name that is used by the clients.

这篇关于Identity Server 4和Docker的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！