c#-使用Bearer令牌访问IdentityServer4上受保护的API
作者:互联网
我试图搜索该问题的解决方案,但没有找到正确的搜索文本.
我的问题是,如何配置我的IdentityServer,使其也可以接受/授权带有BearerTokens的Api请求?
我已配置并正在运行IdentityServer4.
我还在我的IdentityServer上配置了测试API,如下所示:
[Authorize]
[HttpGet]
public IActionResult Get()
{
return new JsonResult(from c in User.Claims select new { c.Type, c.Value });
}
在我的startup.cs中,ConfigureServices()如下:
public IServiceProvider ConfigureServices(IServiceCollection services)
{
...
// configure identity server with stores, keys, clients and scopes
services.AddIdentityServer()
.AddCertificateFromStore(Configuration.GetSection("AuthorizationSettings"), loggerFactory.CreateLogger("Startup.ConfigureServices.AddCertificateFromStore"))
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.DefaultSchema = "auth";
options.ConfigureDbContext = builder =>
{
builder.UseSqlServer(databaseSettings.MsSqlConnString,
sql => sql.MigrationsAssembly(migrationsAssembly));
};
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.DefaultSchema = "auth";
options.ConfigureDbContext = builder =>
builder.UseSqlServer(databaseSettings.MsSqlConnString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 30;
})
// this uses Asp Net Identity for user stores
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<AppProfileService>()
;
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = authSettings.AuthorityUrl;
options.RequireHttpsMetadata = authSettings.RequireHttpsMetadata;
options.ApiName = authSettings.ResourceName;
})
和Configure()如下:
// NOTE: 'UseAuthentication' is not needed, since 'UseIdentityServer' adds the authentication middleware
// app.UseAuthentication();
app.UseIdentityServer();
我有一个配置为允许隐式授予类型的客户端,并且将配置的ApiName包括为AllowedScopes之一:
new Client
{
ClientId = "47DBAA4D-FADD-4FAD-AC76-B2267ECB7850",
ClientName = "MyTest.Web",
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
RedirectUris = { "http://localhost:6200/assets/oidc-login-redirect.html", "http://localhost:6200/assets/silent-redirect.html" },
PostLogoutRedirectUris = { "http://localhost:6200/?postLogout=true" },
AllowedCorsOrigins = { "http://localhost:6200" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"dev.api",
"dev.auth" // <- ApiName for IdentityServer authorization
},
AllowAccessTokensViaBrowser = true,
AllowOfflineAccess = true,
AccessTokenLifetime = 18000,
},
当我使用Postman访问受保护的API时,即使将有效的Bearer Token添加到了Request标头中,它总是重定向到Login页面.
注释掉[Authorize]属性将正确返回响应,但是User.Claims当然是空的.
当登录到IdentityServer(通过浏览器)然后访问API(通过浏览器)时,它还将返回响应.这次,User.Claims可用.
解决方法:
有一个示例在IdentityServer内部共同托管受保护的API:IdentityServerAndApi
我对他们的启动公司和您的启动公司之间的快速比较是,他们正在调用AddJwtBearer而不是AddIdentityServerAuthentication:
services.AddAuthentication()
.AddJwtBearer(jwt => {
jwt.Authority = "http://localhost:5000";
jwt.RequireHttpsMetadata = false;
jwt.Audience = "api1";
});
Author属性还设置身份验证方案:
[Authorize(AuthenticationSchemes = "Bearer")]
标签:identityserver4,bearer-token,asp-net-core,jwt,c 来源: https://codeday.me/bug/20191108/2008383.html