Blazor WebAssembly中的OpenIDConnect和IdentityServer4 + ASP.NET Core Identity postgresql数据库,无需重定向 [英] OpenIDConnect in Blazor WebAssembly with an IdentityServer4 + ASP.NET Core Identity postgresql database without redirect
问题描述
我正在尝试创建一个IdentityServer4 + ASP.NET Core Identity后端,以同时处理访问/刷新令牌和用户/登录管理.在某个时间点,我还将创建一个Web API,因此我需要访问令牌.我的前端是Blazor WebAssembly.
I'm trying to create an IdentityServer4 + ASP.NET Core Identity backend to handle both access/refresh tokens and user/signin management. At some point in time I will also create a web API, hence I need the access tokens. My frontend is a Blazor WebAssembly.
在我阅读的几乎每本指南中,我都指向使用Open ID Connect进行授权码授予.但是,在实现此功能时,我从用户登录页面重定向到另一个端口上的Identityserver登录页面,如下所示:
In nearly every guide/tutorial I read, I am pointed towards an authorization code grant using Open ID Connect. However, when I implement this, I am redirected from a user login page to the identityserver login page on a different port as follows:
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.SaveTokens = true;
});
在此示例中,我的标识服务器在localhost:5000上运行,而我的wasm在localhost:5003上运行.我希望用户能够使用来自同一域上Blazor Webassembly的前端UI登录,该怎么办?
In this example my identityserver runs on localhost:5000, and my blazor wasm on localhost:5003. I want the user to be able to login using the frontend UI from Blazor Webassembly on the same domain, how can I do that?
推荐答案
@enet是的,这正是我想要的.我知道我可以编辑登录页面来查看自己想要的样子,但是我不想为此而离开blasor wasm的域
@enet yes, that is exactly what I would like. I know I can edit the login page to look how I want it too, but I dont want to have to leave the domain of the blazor wasm for that to do it
实际上,您希望避免重定向到IdentityServer4服务器,但是,重定向是OpenID Connect流的核心...
What you wish to do is actually avoid redirection to the IdentityServer4 server, but alas, redirection is the heart of the OpenID Connect flow...
在Blazor团队创建当前的WebAssembly身份验证系统之前,我只能考虑一个通用的解决方案:使用JWT令牌身份验证...
I can only think about a solution common before the Blazor team created the current WebAssembly authentication system: Use JWT Token Authentication...
执行以下操作:
- 创建一个WebAssembly托管应用.
- 创建登录页面,注册页面等
使用WebAssembly托管的应用程序,前端(浏览器)和后端(服务器)属于同一域.您可以将一个帐户控制器添加到带有登录"端点的控制器"文件夹中,该端点将使用HTTP调用从前端通过前端进行访问,并通过登录"页面收集用户的凭据.登录端点中的代码应该使用身份系统(默认)来对用户进行身份验证,然后创建一个传递给前端的JWT令牌(可以存储在本地存储中).现在,每当您要访问受保护的Web api端点时,都将JWT令牌添加到HttpClient对象的标头中.
With WebAssembly hosted app, the front-end (browser) and the backend (server) belong to the same domain. You can add an account controller to the Controllers folder with a Login end point, which will be accessed from the front-end, using HTTP calls, with the users' credentials gathered by your Login page. The code in the Login end point should authenticate the user, perhaps using the Identity system (default), and then creates a JWT Token which is passed to the front-end (Could be stored in the local storage). Now, whenever you want to access a protected web api end point, you add the JWT Token to the HttpClient object's header.
注意:由于时间和知识的需要,我不建议您采用此方法.当然,这是可行的,这就是我们以前编码的方式.
Note: I do not recommend adopting this on account of the time and knowledge it require. Of course, it's feasible, and that's how we used to code before.
我没有太多时间来详细,有条理地回答您的问题,因此,如果您有任何疑问,请不要犹豫.
I did not have much time to answer your question in detail and in order, so if you have questions, don't hesitate to ask.
感谢您的回复!也许我只是不明白而已...如果我要登录到任何其他站点,则永远不会重定向到其他域进行登录.这是否意味着所有这些站点都不使用OIDC?
Thank you for your response! Maybe I just dont get it then... If I want login to any other site I am never redirected to some other domain to login. Does that mean all those sites dont use OIDC?
如果您说的是正确的,那么答案是肯定的.OpenID Connect的流程需要重定向.您不能,也不应在客户端(浏览器)上对用户进行身份验证.例如,如果您使用的是OpenID Connect,则可以将他重定向到IdnetityServer4之类的身份提供者,或者执行HTTP调用以将用户的凭据发送到Web Api端点进行身份验证,并返回JWT令牌.还有其他验证用户身份的方法,这些方法都不发生在前端.当您需要Web应用程序以及为该应用程序提供服务并包含Web Api端点的服务器时,应考虑以上我的建议.请注意,这是一个可行的解决方案,我并不是要阻止您采用它.关键是Blazor为您提供了惊人的功能,经过了良好的测试和保护,这主要需要您配置一些设置等,而自行实现它需要一些知识和时间.但是,当然,您可以找到Blazor的JWT令牌身份验证示例.
If what you're stating is correct, then the answer is yes. The flow of OpenID Connect requires redirection. You can't and you should not authenticate the user on the client (browser). You can redirect him to an identity provider like IdnetityServer4 if you're using OpenID Connect, as for instance, or perform an HTTP call to send the user's credentials to a Web Api end point to authenticate, returning a JWT Token. There are other methods of authenticating the user, none of which takes place on the front-end. As you want your web application as well as the server that serves the application and contains Web Api end points, you should consider my suggestion above. This is a viable solution, mind you, and I did not really meant to deter you from adopting it; the point is that Blazor offers you amazing functionality, well tested and secured which mostly requires you to configure some settings, etc., while implementing it on your own requires some knowledge and time. But of course you can find examples of JWT Token authentication for Blazor.
这篇关于Blazor WebAssembly中的OpenIDConnect和IdentityServer4 + ASP.NET Core Identity postgresql数据库,无需重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
