使用多个IDServer保护单个api资源 [英] Protect a single api resource with multiple IDServers

问题描述

因此，我有一个.Net Core网络api，可以将其称为"CMS"，其当前由IdentityServer4服务器作为api资源进行保护.我已将ID4服务器配置为具有MyIDP的IDP声明.

So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.

出于商业原因，我需要为客户端提供自己的IdentityServer，但他们也希望让其用户访问相同的api"CMS".

For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .

这可能吗?在我的CMS API的StartUp.cs中，当前看起来像这样

Is this possible? In the StartUp.cs of my CMS api it currently looks like this

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "http://www.idserver1.com";   
                    options.RequireHttpsMetadata = true; 
                    options.ApiName = "cmsapi"; 
                });

所以要为另一台id服务器添加保护，我想我可以复制 AddAuthentication ，但将方案名称从Bearer更改为其他名称，但这似乎是错误的?

so to add protection for another id server I assume i could just duplicate the AddAuthentication but change the scheme name from Bearer to something else but that seems wrong?

之所以应该这样做，是因为我已经能够以这种方式向我的Web应用程序添加多个外部提供程序.但这是用于s登录流程，而不是用于api.

The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.

如果可能的话，我该怎么办?

If this is possible how do I go about this?

推荐答案

这可以非常简单地实现.假设您要为每个客户端发布一个单独的子域: auth0.yourdomain.com ， auth1.yourdomain.com ，并且希望api资源尊重该令牌，这些身份提供者之一.

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

假设签名密钥相同，则可以在 Startup.cs-> ConfigureServices(...):

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

        var builder = services.AddIdentityServer(options => {
                              options.IssuerUri = "auth.yourdomain.com";
                              })
                 ...

然后在api端，您可以尊重单个颁发者uri，而不必重复进行身份验证方案:

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "auth.yourdomain.com";   
                    options.RequireHttpsMetadata = true; 
                    options.ApiName = "cmsapi"; 
                });    

我不记得的一件事是，是否为发行者uri推断了请求方案(http/https)，因此您可能还需要指定它( https:\\ auth.yourdomain.com).除此之外，就您的客户而言，这种实现应该是无缝的.

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

这篇关于使用多个IDServer保护单个api资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！