身份服务器 4 和 docker [英] Identity Server 4 and docker
问题描述
我正在尝试使用 docker 配置 IdentityServer4,但无法使其正常工作.首先,我以身份服务器文档的客户端凭据示例为例:Protecting an API使用客户端凭据
I'm trying to configure IdentityServer4 with docker but I cannot make it work. To get started, I took the Client Credential example of the identity server documentation: Protecting an API using Client Credentials
身份服务器
托管在端口 5000
IdentityServer
Hosted on port 5000
WebApi
托管在端口 5001
WebApi
Hosted on port 5001
在我的 WebApi 的 Startup.cs
文件的 Configure
方法中,我执行了以下操作(问题可能出在这里):
In the Configure
method of the Startup.cs
file of my WebApi I did the following (the problem is probably here):
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://web:5000",
RequireHttpsMetadata = false,
ApiName = "api1"
});
客户
和客户端
// Everything is fine here...
var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api");
// This does not work
var client = new HttpClient();
client.SetBearerToken(tokenResponse.AccessToken);
var response = await client.GetAsync("http://localhost:5001/identity");
问题可能出在我的 WebApi 上:
The problem is probably in my WebApi:
1) 如果我将权限设置为 localhost:5000,则会收到内部服务器错误:无法从以下位置获取配置:'http://localhost:5000/.well-known/openid-configuration'" 这很有意义,因为 localhost:5000 在这个容器中是未知的
1) If I set the authority to localhost:5000, I get an internal server error: "Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'" which makes sense since localhost:5000 is unknown in this container
2) 如果我将权限设置为 http://web:5000,我会收到一个授权错误:颁发者验证失败.颁发者:'http://localhost:5000'.不匹配:validationParameters.ValidIssuer:'http://web:5000' 或 validationParameters.ValidIssuers" 这也有道理,但我不知道是否可以更改权限名称?我还尝试在 IdentityServer 项目中设置 IssuerUri
但它没有帮助
2) If I set the authority to http://web:5000 I get an authorization error: "Issuer validation failed. Issuer: 'http://localhost:5000'. Did not match: validationParameters.ValidIssuer: 'http://web:5000' or validationParameters.ValidIssuers" which also makes sense but I don't know if it's possible to change the authority name? I also tried to set the IssuerUri
in the IdentityServer project but it didn't help
推荐答案
网络
假设您有两台物理机器:C1 和 C2.每台机器都是一个docker主机.
Let's suppose you have two physical machines: C1 and C2. Each machine is a docker host.
C1 运行 Auth 容器.
C1 runs Auth container.
C2 运行 WebApi 容器.
C2 runs WebApi container.
当您在 Auth dockerfile 中公开端口 5000 时,地址 C1:5000
应该可以从 C2 和 从 WebApi 容器本身访问.与 DNS 相比,您可能更喜欢 IP,这无关紧要.此外,您应该能够成功地向 http://C1:5000/.well-known/openid-configuration
发出 GET 请求.
As you expose port 5000 in Auth dockerfile, the address C1:5000
should be accessible from C2 and from WebApi container itself. You could prefer IPs to DNS, it doesn't matter. Moreover you should be able to make a successfull GET request to http://C1:5000/.well-known/openid-configuration
to be sure.
要实现这一点,您可能会面临很多网络问题.例如:什么会阻止在 Docker 容器中运行的代码连接到单独服务器上的数据库?
There are a lot of network issues you could face to achieve that. For example: What would prevent code running in a Docker container from connecting to a database on a separate server?
发行人验证
发行人验证失败
您客户端的授权 URL 与 Auth 主机名不同.默认情况下,授权 URL 应等于 issuer
属性值(此属性在 Identity Server 自动发现文档响应中).
Your client's authority URL differs from Auth hostname. By default, authority URL should be equal to issuer
property value (this property is in Identity Server autodiscovery document response).
issuer
属性值取决于您客户的网络请求:
issuer
property value depends on your client's web request:
GET http://127.0.0.1:6000/.well-known/openid-configuration -> "issuer": "http://127.0.0.1:6000"
GET http://localhost:6000/.well-known/openid-configuration -> "issuer": "localhost:6000"
尝试将 IssuerUri
设置为开发环境的常量:
Try to set IssuerUri
to a constant for a dev environment:
services.AddIdentityServer(x =>
{
x.IssuerUri = "foo";
})
实现一个恒定的issuer
值.这允许通过任何有效的 URL(使用 IP、机器名称或 DNS)调用身份服务器:
to achieve a constant issuer
value. This allowes to call Identity Server by any valid URL (using IP, machine name or DNS):
GET http://anything/.well-known/openid-configuration -> "issuer": "foo"
DiscoveryClient
还验证 issuer
值.这是一个简单的等式
DiscoveryClient
also validates issuer
value. It's a simple equality comparison:
public bool ValidateIssuerName(string issuer, string authority)
{
return string.Equals(issuer, authority, StringComparison.Ordinal);
}
您可以通过以下方式禁用它:
You could disable it by:
DiscoveryClient.Policy.ValidateIssuerName = false;
仅供参考,IssuerUri
设置 不推荐 对于生产环境:
FYI, IssuerUri
setting is not recommended for a production environment:
IssuerUri 设置将出现在发现中的发行者名称文档和发布的 JWT 令牌.建议不要设置这个属性,从使用的主机名推断发行者名称由客户提供.
IssuerUri Set the issuer name that will appear in the discovery document and the issued JWT tokens. It is recommended to not set this property, which infers the issuer name from the host name that is used by the clients.
这篇关于身份服务器 4 和 docker的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!