.NET Core 3.1中带有自定义策略的IdentityServer4 LocalApi [英] IdentityServer4 LocalApi with custom policy in .NET Core 3.1

查看:175
本文介绍了.NET Core 3.1中带有自定义策略的IdentityServer4 LocalApi的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用"LocalApi"带有一些自定义策略的IdentityServer4功能.

I'm trying to use the "LocalApi" feature of IdentityServer4 with some custom Policies.

我有一个API(与IdentityServer4托管在同一应用程序实例上),该API分为三个部分(服务器,管理器,产品)和三个客户端(服务器,管理器,产品).客户只能调用API的专用部分,而我将根据范围使用策略来实现.

I have an API (hosted on the same application instance as IdentityServer4) that is divided into three parts (Server, Manager, Product) and for three clients (Server, Manager, Product). Client can only call the devoted part of the API and I would do this with Policies based on scopes.

所以我有以下内容:

Starup:

services.AddLocalApiAuthentication(); // Add API hosted on same application than IdentityServer
services.AddAuthorization(options =>
    {
        options.AddPolicy("Manager", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiManagerScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_manager_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });

        options.AddPolicy("Server", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiServerScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_server_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });

        options.AddPolicy("Product", policy =>
        {
            //policy.RequireClaim("scope", configuration.GetValue<string>("EchinoLoginApiProductScopeOptions:Name"));
            policy.RequireClaim("scope", "local_api_product_scope");
            policy.RequireClaim("scope", IdentityServerConstants.LocalApi.ScopeName);
        });
    });

还有我的ApiResource

And my ApiResource

new ApiResource
     {
         Name = IdentityServerConstants.LocalApi.ScopeName,
         Scopes =
         {
             new Scope()
             {
                 Name = IdentityServerConstants.LocalApi.ScopeName,
                 DisplayName = IdentityServerConstants.LocalApi.ScopeName,
             },
             new Scope()
             {
                 Name = "local_api_product_scope",
                 DisplayName = echinoLoginApiProductScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiProductScopeOptions.UserClaims
             },
             new Scope()
             {
                 Name = "local_api_manager_scope",
                 DisplayName = echinoLoginApiManagerScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiManagerScopeOptions.UserClaims
             },
             new Scope()
             {
                 Name = "local_api_server_scope",
                 DisplayName = echinoLoginApiServerScopeOptions.DisplayName,
                 UserClaims = echinoLoginApiServerScopeOptions.UserClaims
             }
         }
     }

最后是我的服务器客户端

And finally my server client

new Client
     {
         ClientId = echinoServerOptions.Id,
         ClientName = echinoServerOptions.Name,

         ClientSecrets =
         {
             new Secret(echinoServerOptions.Secret.Sha256())
         },

         AllowedGrantTypes = GrantTypes.ClientCredentials,
         //AllowedScopes = AddLocalApiScope(echinoServerOptions.AllowedScopes)
         AllowedScopes = { "IdentityServerApi", "server_scope", "local_api_server_scope" }
     },

因此,在我的控制器中,我使用了[Authorize(Policy ="Server")),但是我总是无法通过身份验证.如果我使用[Authorize(LocalApi.PolicyName)]有效,但是我没有自定义策略.

So in my controller I use [Authorize(Policy = "Server")] but I always have an authentication failed. If I use [Authorize(LocalApi.PolicyName)] it's working but then I don't have my custom policy.

JWT令牌的有效载荷如下:

The payload of the JWT token is the following:

{
  "nbf": 1582632694,
  "exp": 1582636294,
  "iss": "https://localhost:44334",
  "aud": [
    "IdentityServerApi",
    "EchinoLoginApi"
  ],
  "client_id": "EchinoServer",
  "scope": [
    "IdentityServerApi",
    "local_api_server_scope",
    "server_scope"
  ]
}

我一定想念一些东西,但我找不到.

I must be missing something but I can't found what.

有人可以帮我吗?

推荐答案

对于本地api,您应将[Authorize(LocalApi.PolicyName)]与自定义策略一起使用.

For local apis, you should use [Authorize(LocalApi.PolicyName)] with your custom policy together.

[Authorize("productpolicy")]
[Authorize(LocalApi.PolicyName)]
[ApiController]
[Route("api/[controller]")]
public class ProductController : ControllerBase
{...

或者您可以通过其他方式处理它:

Or you can handle it in another way:

options.AddPolicy(ClientLocalScopes.AuthenticationAuthorization, policy =>
    {
        policy.AddAuthenticationSchemes(IdentityServerConstants.LocalApi.AuthenticationScheme);
        policy.RequireAuthenticatedUser();
// write your code here
    });

这篇关于.NET Core 3.1中带有自定义策略的IdentityServer4 LocalApi的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆