身份服务器 4 和 docker [英] Identity Server 4 and docker

问题描述

我正在尝试使用 docker 配置 IdentityServer4，但无法使其正常工作.首先，我以身份服务器文档的客户端凭据示例为例:Protecting an API使用客户端凭据

I'm trying to configure IdentityServer4 with docker but I cannot make it work. To get started, I took the Client Credential example of the identity server documentation: Protecting an API using Client Credentials

身份服务器
托管在端口 5000

IdentityServer
Hosted on port 5000

WebApi
托管在端口 5001

WebApi
Hosted on port 5001

在我的 WebApi 的 Startup.cs 文件的 Configure 方法中，我执行了以下操作(问题可能出在这里):

In the Configure method of the Startup.cs file of my WebApi I did the following (the problem is probably here):

 app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://web:5000",                
            RequireHttpsMetadata = false,
            ApiName = "api1"
        });

客户
和客户端

 // Everything is fine here...
 var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
 var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
 var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api");

 // This does not work
 var client = new HttpClient();
 client.SetBearerToken(tokenResponse.AccessToken);
 var response = await client.GetAsync("http://localhost:5001/identity");

问题可能出在我的 WebApi 上:

The problem is probably in my WebApi:

1) 如果我将权限设置为 localhost:5000，则会收到内部服务器错误:无法从以下位置获取配置:'http://localhost:5000/.well-known/openid-configuration'" 这很有意义，因为 localhost:5000 在这个容器中是未知的

1) If I set the authority to localhost:5000, I get an internal server error: "Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'" which makes sense since localhost:5000 is unknown in this container

2) 如果我将权限设置为 http://web:5000，我会收到一个授权错误:颁发者验证失败.颁发者:'http://localhost:5000'.不匹配:validationParameters.ValidIssuer:'http://web:5000' 或 validationParameters.ValidIssuers" 这也有道理，但我不知道是否可以更改权限名称?我还尝试在 IdentityServer 项目中设置 IssuerUri 但它没有帮助

2) If I set the authority to http://web:5000 I get an authorization error: "Issuer validation failed. Issuer: 'http://localhost:5000'. Did not match: validationParameters.ValidIssuer: 'http://web:5000' or validationParameters.ValidIssuers" which also makes sense but I don't know if it's possible to change the authority name? I also tried to set the IssuerUri in the IdentityServer project but it didn't help

推荐答案

网络

假设您有两台物理机器:C1 和 C2.每台机器都是一个docker主机.

Let's suppose you have two physical machines: C1 and C2. Each machine is a docker host.

C1 运行 Auth 容器.

C1 runs Auth container.

C2 运行 WebApi 容器.

C2 runs WebApi container.

当您在 Auth dockerfile 中公开端口 5000 时，地址 C1:5000 应该可以从 C2 和 从 WebApi 容器本身访问.与 DNS 相比，您可能更喜欢 IP，这无关紧要.此外，您应该能够成功地向 http://C1:5000/.well-known/openid-configuration 发出 GET 请求.

As you expose port 5000 in Auth dockerfile, the address C1:5000 should be accessible from C2 and from WebApi container itself. You could prefer IPs to DNS, it doesn't matter. Moreover you should be able to make a successfull GET request to http://C1:5000/.well-known/openid-configuration to be sure.

要实现这一点，您可能会面临很多网络问题.例如:什么会阻止在 Docker 容器中运行的代码连接到单独服务器上的数据库?

There are a lot of network issues you could face to achieve that. For example: What would prevent code running in a Docker container from connecting to a database on a separate server?

发行人验证

发行人验证失败

您客户端的授权 URL 与 Auth 主机名不同.默认情况下，授权 URL 应等于 issuer 属性值(此属性在 Identity Server 自动发现文档响应中).

Your client's authority URL differs from Auth hostname. By default, authority URL should be equal to issuer property value (this property is in Identity Server autodiscovery document response).

issuer 属性值取决于您客户的网络请求:

issuer property value depends on your client's web request:

GET http://127.0.0.1:6000/.well-known/openid-configuration -> "issuer": "http://127.0.0.1:6000"
GET http://localhost:6000/.well-known/openid-configuration -> "issuer": "localhost:6000"

尝试将 IssuerUri 设置为开发环境的常量:

Try to set IssuerUri to a constant for a dev environment:

services.AddIdentityServer(x =>
{
    x.IssuerUri = "foo";
})

实现一个恒定的issuer值.这允许通过任何有效的 URL(使用 IP、机器名称或 DNS)调用身份服务器:

to achieve a constant issuer value. This allowes to call Identity Server by any valid URL (using IP, machine name or DNS):

GET http://anything/.well-known/openid-configuration -> "issuer": "foo"

DiscoveryClient 还验证 issuer 值.这是一个简单的等式

DiscoveryClient also validates issuer value. It's a simple equality comparison:

public bool ValidateIssuerName(string issuer, string authority)
{
    return string.Equals(issuer, authority, StringComparison.Ordinal);
}

您可以通过以下方式禁用它:

You could disable it by:

DiscoveryClient.Policy.ValidateIssuerName = false;

仅供参考，IssuerUri 设置 不推荐 对于生产环境:

FYI, IssuerUri setting is not recommended for a production environment:

IssuerUri 设置将出现在发现中的发行者名称文档和发布的 JWT 令牌.建议不要设置这个属性，从使用的主机名推断发行者名称由客户提供.

IssuerUri Set the issuer name that will appear in the discovery document and the issued JWT tokens. It is recommended to not set this property, which infers the issuer name from the host name that is used by the clients.

这篇关于身份服务器 4 和 docker的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！