可以为一个Api设置两个身份验证吗?身份服务器4 [英] Could set two authentications for one Api ? Identity server4
问题描述
我构建了一个身份服务器,并与一个客户端建立了两个grant_types.混合密码和密码.
I build a identity server, and with a client two grant_types. hybrid and password.
现在,每个人都可以独立获取访问令牌. 如果同时添加它们.只是混合作品. 密码模式可以获取访问令牌,但是使用承载令牌访问api时.我被重定向到混合登录页面.
Now, each of them is ok for get access token independently. if add thems in the same time. Just hybrid works. Password mode could get access token, but when accessed the api with bearer token. I was redirected to the hybrid login page.
// add password authentication
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "http://localhost";
options.RequireHttpsMetadata = false;
options.Audience = "SlideCloudStorage";
});
// add hybrid authentication
// todo add this information to configuration.
services.AddAuthentication(
options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect(
"oidc",
options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost";
options.RequireHttpsMetadata = false;
options.ClientId = "slide-cloud-storage";
options.ClientSecret = "secret";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("offline_access");
options.ClaimActions.MapJsonKey("website", "website");
});
希望这不是XY问题. 为什么我要添加两个身份验证?
Hope this is not a XY problem. Why I want add two authentications?
密码模式适用于我的桌面客户端. Hybrid适用于我的网络/移动客户端.
Password mode is for my desktop client. Hybrid is for my web/mobile client.
推荐答案
services.AddAuthentication("Bearer")
这会将默认身份验证方案设置为Bearer.
This sets the default authentication scheme to Bearer.
services.AddAuthentication(
options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
这会将默认身份验证方案设置为Cookies(将默认质询方案设置为oidc).因此,此后,默认情况下将不再调用承载身份验证.
And this sets the default authentication scheme to Cookies (and the default challenge scheme to oidc). So after this, the bearer authentication is no longer invoked by default.
配置多种身份验证方案非常好,而且在许多情况下还需要一些配置.但是您必须了解,只有一个默认值(对于每个身份验证操作)都将由框架自动调用.我已经解释了有关此问题的详细信息,但是基本上的想法是,当您不执行任何特殊操作时,那么默认的身份验证方案将用于在请求进入时对用户进行身份验证.
Configuring multiple authentication schemes is perfectly fine and in many cases also somewhat required. But you have to understand that there can only ever be a single default (for each authentication action) which will be invoked automatically by the framework. I’ve explained that in more detail for this question but the idea is basically that when you don’t do anything special, then the default authentication scheme will be used to authenticate the user when a request comes in.
因此,在您的情况下,将Cookies作为默认方案,将尝试通过cookie登录用户.对于以用户为中心的应用程序,这通常是一个很好的默认设置,因为cookie是大多数用户用来验证自己身份的东西.另一方面,对这些应用程序的API访问更为特殊,通常仅限于几个控制器或路由.因此,将承载身份验证默认为默认值通常没什么用.
So in your case, with Cookies being the default scheme, users will be attempted to be signed in through their cookies. This is often a good default for user-centric applications since the cookie will be what most users use to authenticate themselves. On the other hand, the API access to those applications is more special and often limited to just a few controllers or routes; so having bearer authentication as a default is often not that useful.
因此,当Cookies为默认值,并且只能自动调用一个默认值时,使用其他方案的方式是什么?答案就是授权策略.
So when Cookies is being the default, and there can only be one default which will be invoked automatically, what is the way to use other schemes then? The answer to that are authorization policies.
授权策略通常使您可以基于某些规则来限制访问.策略基本上是这些规则的集合.出于授权目的,通常将检查索偿值以控制某人是否有权做某事.但是,授权策略还有另一个方面,那就是它们允许您将身份验证方案指定为规则.
Authorization policies in general allow you to restrict access based on certain rules. A policy is basically a set of these rules. For authorization purposes, you will commonly check claim values to control whether someone is authorized to do something. There’s however one other aspect of authorization policies and that’s that they allow you to specify authentication schemes as rules.
使用 AuthorizationPolicyBuilder ,您可以使用它指定所需的身份验证方案.然后,使用授权策略对请求进行授权时,如果尚未对这些方案进行身份验证,它将自动对这些方案进行身份验证.
When you create an authorization policy using an AuthorizationPolicyBuilder, you can specify the authentication schemes it requires with it. When an authorization policy is then used to authorize requests, it will automatically authenticate those schemes if they haven’t been authenticated yet.
因此,您可以使用此机制来触发API控制器的承载身份验证,而不会影响默认的cookie身份验证,该身份验证将在您不指定其他任何内容时使用.
So you can use this mechanism to trigger bearer authentication for your API controllers without affecting the default cookie authentication which will be used whenever you don’t specify anything else.
[Authorize("ApiPolicy")]
public class MyApiController : ControllerBase
{
// …
}
在Startup.ConfigureServices中:
services.AddAuthorization(options =>
{
var apiPolicy = new AuthorizationPolicyBuilder("Bearer")
.RequireAuthenticatedUser()
.Build();
options.AddPolicy("ApiPolicy", apiPolicy);
});
这样,您就配置了一个自定义策略,您可以随时扩展该自定义策略以添加其他要求(例如特殊声明),并使用它来授权客户端访问您的API.
With that, you configured a custom policy, which you can always extend to add additional requirements (such as special claims), and you are using that to authorize clients accessing your API.
如果只需要几个动作或控制器,则还可以直接在[Authorize]属性中指定身份验证方案.这使您不必创建自定义授权策略,但另一方面,如果您想通过其他要求(或更改的身份验证方案)扩展策略,则当然需要更多的重复和维护:
If you only need this for few actions or controllers, you can also specify the authentication schemes directly within the [Authorize] attribute. This saves you from having to create a custom authorization policy but on the other hand of course requires a bit more duplication and maintenance if you ever want to expand your policy with additional requirements (or changed authentication schemes):
[Authorize(AuthenticationSchemes = "Bearer")]
public class MyApiController : ControllerBase
{
// …
}
请注意,最后,这还将 产生将临时创建以授权用户的策略.因此效果和潜在机制实际上是相同的.
Note that in the end, this will also result in a policy that will be created temporarily to authorize the user. So the effect and underlying mechanism is really the same.
这篇关于可以为一个Api设置两个身份验证吗?身份服务器4的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
