如何使用IdentityServer3进行登录吗? [英] How to perform Sign-in with IdentityServer3?
问题描述
我开发与IdentityServer3使用Web API。
I am developing a web api for use with IdentityServer3.
我有服务器和Web API运行,但我有麻烦搞清楚如何让用户从移动应用到服务器登录。
I have the server and the web api running, but I am having trouble figuring out how to have users login from a mobile app to the server.
我的问题是:如果我有身份的服务器启用隐流,如何在用户从提琴手一样的工具在签名验证成功接受他们的标记
My question is this: if I have implicit flow enabled for the identity server, how do users sign in from a tool like fiddler to receive their tokens upon successful authentication?
我知道令牌端点是:
https://开头myidservername /识别/连接/令牌
我也知道,授权endpoing是:
https://开头myidservername /识别/连接/授权
I also know that the authorization endpoing is: https://myidservername/identity/connect/authorization
不过,在哪里用户登录?我一定要创建我自己的看法,供用户能够通过用户名和密码,并获得令牌?更具体地讲,我的问题是如何从提琴手从专用的观测迹象,并不意味着我必须呈现给用户。
But where do users sign in? Do I have to create my own view for users to be able to pass a username and password and receive a token? More specifically, my question is how to sign in from fiddler, not from a dedicated view that I would have to render to users.
推荐答案
IdentityServer是一个全功能于一身的OpenID + OAuth的2实现,为此隐流动完全是由IdentityServer本身处理使用的授权端点认证请求和令牌发放过程之间的桥梁。
IdentityServer is an all-in-one OpenID+OAuth 2 implementation, for this reason Implicit Flow is entirely handled by IdentityServer itself using the authorize endpoint as bridge between an authentication request and the token issuing process.
隐流的性质不会允许客户端,如提琴手(特别是客户端不能直接呈现网页)进行身份验证。
为了进一步理解为什么我会尽量重现在Web API / IdentityServer情景隐含的OAuth授予的步骤:
The nature of Implicit Flow do not allows client such as Fiddler (specifically clients that cannot render directly a web page) to authenticate. To further understand why I will try to reproduce the steps of OAuth Implicit grant in a Web API/IdentityServer scenario:
- 客户端尝试访问受保护资源的端点(例如一个Web API控制器饰以
授权) - 的框架检查用户是否通过验证验证令牌(例如检查
授权头和验证内容) - 如果用户没有验证,那么该框架以401状态code 响应
- 然后,客户端必须使用一个浏览器窗口要去授权点(例如,创建一个
的WebView/ <$ C $请求令牌授权服务器(IdSrv3) C>的UIWebView 在移动应用程序,打开一个弹出浏览器中,等等。) - 然后用户插入他的证件,服务器验证他们,如果有效,这包括在查询字符串中的颁发的令牌/重定向响应散列后
- 客户端接收重定向响应和从URI 提取令牌
- 客户端现在可以发送身份验证请求到资源服务器(Web API)
- A client tries to access a protected resource endpoint (e.g. a Web API controller decorated with
Authorize) - The frameworks checks if the user is authenticated validating the token (e.g. checking the
Authorizationheader and validating the content) - If the user is not authenticated then the framework responds with a 401 status code
- The client then must request a token to the Authorization Server (IdSrv3) by going to the authorize endpoint using a browser window (e.g. creating a
WebView/UIWebViewin a mobile app, opening a pop-up inside the browser, etc.) - The user then insert his credentials, the server validates them and if valid responds with a redirect that includes an issued token in the query string/after the hash
- The client receives the redirect response and extracts the token from the URI
- The client can now send authenticated requests to the resource server (Web API)
正如你所看到的,你没有办法验证客户端无法本身呈现在第4步返回对于那些类客户的资源所有者凭证的登录页面流量可能是一个更好的解决方案。
As you can see, you have no way to authenticate a client that cannot inherently render the login page returned in step 4. For those class of clients Resource Owner Credentials Flow may be a better solution.
您需要启用这种津贴为IdentityServer里面配置你的客户(您可以按照本教程,以了解如何),然后制定适合在标记端点设置 grant_type 到的请求密码和提供所需的所有其他参数的。
You need to enable such grant for your client inside IdentityServer configuration (you may follow this tutorial to find out how), and then craft a request for the token endpoint setting grant_type to password and providing all other required parameters.
这篇关于如何使用IdentityServer3进行登录吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
