用于用户管理的 Identity Server 和 web api [英] Identity Server and web api for user management

查看:21
本文介绍了用于用户管理的 Identity Server 和 web api的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在为我的项目使用 Identity Server3,我目前有一个网站和 api 受 Id 服务器保护,这工作正常,但是因为我将用户存储在 Id Server 数据库中,我无法真正更改来自网站的任何用户数据,例如更改个人资料图片或任何声明值.

I'm using Identity Server3 for my project, I currently have a website and api being protected by the Id server, this is working fine however because I'm storing the users in the Id Server database I can't really change any user's data from the website like changing the profile picture or any claim value.

为了解决这个问题,我想在 IdServer 之上创建一个 API,这个 API 将管理用户,更改密码,检索用户或更改与用户相关的任何内容,我想在上面创建这个 API我的 IdServer 使用 Owin 映射的示例项目.

In order to solve this I'm thinking in creating an API on top of IdServer, this API will manage the users, changing a password, retrieving users or changing anything related to a user basically, I want to create this API on the sample project where I have my IdServer using Owin mapping.

现在我的 idServer 位于/identity 路由中

Right now I have my idServer in the /identity route like this

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        Log.Logger = new LoggerConfiguration().MinimumLevel.Debug().WriteTo.Trace().CreateLogger();            

        app.Map("/identity", idserverApp =>
         {
             var efConfig = new EntityFrameworkServiceOptions
             {
                 ConnectionString = "IdSvr3Config"
             };

             var options = new IdentityServerOptions
             {
                 SiteName = "Identity server",
                 IssuerUri = ConfigurationManager.AppSettings["idserver:stsIssuerUri"],
                 PublicOrigin = ConfigurationManager.AppSettings["idserver:stsOrigen"],
                 SigningCertificate = Certificate.Get(),
                 Factory = Factory.Configure(efConfig),
                 AuthenticationOptions = AuthOptions.Configure(app),
                 CspOptions = new CspOptions { Enabled = false },
                 EnableWelcomePage=false
             };


             new TokenCleanup(efConfig, 3600 * 6).Start();
             idserverApp.UseIdentityServer(options);
         });

        app.UseIdServerApi();

    }        
}

我的api中间件"是这样的

My api "middleware" is as this

**public static class IdServerApiExtensions
    {
        public static void UseIdServerApi(this IAppBuilder app, IdServerApiOptions options = null)
        {
            if (options == null)
                options = new IdServerApiOptions();            

            if (options.RequireAuthentication)
            {
                var dic = app.Properties;
                JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
                app.UseIdentityServerBearerTokenAuthentication(
                    new IdentityServerBearerTokenAuthenticationOptions
                    {
                        Authority = "https://localhost:44302/identity", //here is the problem, it says not found even though I already mapped idServer to /identity
                        RequiredScopes = new[]
                        {
                        "idserver-api"
                        },
                        ValidationMode=ValidationMode.ValidationEndpoint
                    });
            }
            var config = new HttpConfiguration();
            WebApiConfig.Register(config,options.RequireAuthentication);
            app.UseNinjectMiddleware(() => NinjectConfig.CreateKernel.Value);
            app.UseNinjectWebApi(config);
            app.Use<IdServerApiMiddleware>(options);
        }
    }**

我知道这是可能的,我只是不知道将 api 放在同一个项目上是否是个好主意,也不知道该怎么做.

I know is possible I just don't know if it is a good idea to have the api on the same project or not and also I don't know how to do it.

  • 创建此 API 来管理用户是否是个好主意?如果不是,我可以用什么?
  • 如何创建适当的设置以启动/api 下的 API,同时使用 IdServer 来保护此 api?

更新

添加 ValidationMode=ValidationMode.ValidationEndpoint,解决了我的问题,感谢 Scott Brady

Adding ValidationMode=ValidationMode.ValidationEndpoint, fixed my problem, thanks to Scott Brady

谢谢

推荐答案

Identity Server 团队的一般建议是将任何管理页面或 API 作为单独的项目运行 (最近的例子).最佳做法是仅授予您的身份服务器和身份管理应用程序访问您的身份数据库/存储的权限.

The general advice from the Identity Server team is to run any admin pages or API as a separate project (Most recent example). Best practice would be only to give your Identity Server and identity management applications access to your identity database/store.

为了管理您的用户,是的,您可以编写自己的 API.其他选项是将其包含到单个 MVC 网站或使用诸如 身份管理器之类的东西.

To manage your users, yes, you could write your own API. Other options would be to contain it to a single MVC website or to use something like Identity Manager.

不过,您仍然可以使用相同的应用程序方法,即使用 OWIN 映射.为了确保这一点,您可以使用 IdentityServer3.AccessTokenValidation 包,使用如下代码:

You can still use the same application approach however, using the OWIN map. To secure this you could use the IdentityServer3.AccessTokenValidation package, using code such as:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
    Authority = ConfigurationManager.AppSettings["idserver:stsOrigen"],
    RequiredScopes = new[] { "adminApi" },
    ValidationMode = ValidationMode.ValidationEndpoint
});

这篇关于用于用户管理的 Identity Server 和 web api的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C#/.NET最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆