使用多个IDServer保护单个api资源 [英] Protect a single api resource with multiple IDServers
问题描述
因此,我有一个.Net Core网络api,可以将其称为"CMS",其当前由IdentityServer4服务器作为api资源进行保护.我已将ID4服务器配置为具有MyIDP的IDP声明.
So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.
出于商业原因,我需要为客户端提供自己的IdentityServer,但他们也希望让其用户访问相同的api"CMS".
For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .
这可能吗?在我的CMS API的StartUp.cs中,当前看起来像这样
Is this possible? In the StartUp.cs of my CMS api it currently looks like this
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://www.idserver1.com";
options.RequireHttpsMetadata = true;
options.ApiName = "cmsapi";
});
所以要为另一台id服务器添加保护,我想我可以复制 AddAuthentication
,但将方案名称从Bearer更改为其他名称,但这似乎是错误的?
so to add protection for another id server I assume i could just duplicate the AddAuthentication
but change the scheme name from Bearer to something else but that seems wrong?
之所以应该这样做,是因为我已经能够以这种方式向我的Web应用程序添加多个外部提供程序.但这是用于s登录流程,而不是用于api.
The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.
如果可能的话,我该怎么办?
If this is possible how do I go about this?
推荐答案
这可以非常简单地实现.假设您要为每个客户端发布一个单独的子域: auth0.yourdomain.com
, auth1.yourdomain.com
,并且希望api资源尊重该令牌,这些身份提供者之一.
This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com
, auth1.yourdomain.com
and you want an api resource to respect the token from either of those identity providers.
假设签名密钥相同,则可以在 Startup.cs-> ConfigureServices(...)
:
Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...)
:
var builder = services.AddIdentityServer(options => {
options.IssuerUri = "auth.yourdomain.com";
})
...
然后在api端,您可以尊重单个颁发者uri,而不必重复进行身份验证方案:
And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "auth.yourdomain.com";
options.RequireHttpsMetadata = true;
options.ApiName = "cmsapi";
});
我不记得的一件事是,是否为发行者uri推断了请求方案(http/https),因此您可能还需要指定它( https:\\ auth.yourdomain.com
).除此之外,就您的客户而言,这种实现应该是无缝的.
One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\\auth.yourdomain.com
). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.
这篇关于使用多个IDServer保护单个api资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!