我在asp.net核心网络api中使用IdentityServer4进行用户身份验证和授权。我在android应用程序中使用此api。我的用户使用用户名和密码注册和登录没有问题。这是我的访问令牌我来自连接/令牌端点
{
"alg": "RS512",
"typ": "at+jwt"
}
{
"nbf": 1600324303,
"exp": 1631860303,
"iss": "https://myIdentityServerApi.com",
"aud": [
"IdentityServerApi",
"MyAPI1"
],
"client_id": "MyApp1",
"sub": "521d198c-3657-488e-997e-3e50d756b353",
"auth_time": 1600324302,
"idp": "local",
"role": "Admin",
"name": "myusername",
"scope": [
"openid",
"IdentityServerApi",
"MyAPI1"
],
"amr": [
"pwd"
]
}
现在,在新的android应用程序中,我希望用户使用电话号码和短信激活功能进行注册和登录。 当用户发送ActivationCode时,我应该向他发送访问令牌。但是,如何从没有用户名和密码的令牌端点获取令牌?
在下面,我想手动生成令牌,但是生成的令牌不起作用。
[HttpPost("Activate")]
[AllowAnonymous]
public async Task<IActionResult> Activate([FromBody] SignUpPhoneModel model)
{
if (string.IsNullOrWhiteSpace(model.PhoneNumber))
{
return BadRequest("Phone Number is Empty");
}
PhoneValidation pv = new PhoneValidation();
IdentityUser CurrentUser = await db.Users.Where(e => e.PhoneNumber == model.PhoneNumber).FirstAsync();
if (!await UserManager.VerifyChangePhoneNumberTokenAsync(CurrentUser, model.ActivationCode, model.PhoneNumber))
{
return BadRequest("Activation Code is not correct");
}
else
{
//Here user is activated and should get token But How?
CurrentUser.PhoneNumberConfirmed = true;
List<string> UserRoles = (await UserManager.GetRolesAsync(CurrentUser)).ToList();
var tokenHandler = new JwtSecurityTokenHandler();
RSACryptoServiceProvider rsap = new RSACryptoServiceProvider(KeyContainerNameForSigning);
SecurityKey sk = new RsaSecurityKey(rsap.Engine);
List<Claim> UserClaims = new List<Claim>() {
new Claim(JwtRegisteredClaimNames.Sub, CurrentUser.Id),
};
foreach (var r in UserRoles)
{
UserClaims.Add(new Claim(JwtClaimTypes.Role, r));
}
var tokenDescriptor = new SecurityTokenDescriptor
{
Issuer= "https://myidentityserverapi.com",
Audience = "IdentityServerApi,MyAPI",
Subject = new ClaimsIdentity(UserClaims),
Expires = DateTime.UtcNow.AddDays(365),
SigningCredentials = new SigningCredentials(sk, SecurityAlgorithms.RsaSha512),
};
var token = tokenHandler.CreateToken(tokenDescriptor);
TokenModel tm = new TokenModel()
{
access_token = tokenHandler.WriteToken(token)
};
return Ok(tm);
}
}
当我在应用程序中从上方(操作方法)接收令牌时,如下所示,但是它不起作用,例如User.Identity.IsAuthenticated为false。任何人都知道如何生成令牌,例如connect / token端点没有用户名和密码?
"alg": "RS256",
"typ": "JWT"
}
{
"unique_name": "13f2e130-e2e6-48c7-b3ac-40f8dde8087b",
"role": "Member",
"nbf": 1600323833,
"exp": 1718259833,
"iat": 1600323833
}
我选择了正确的方法吗?还是我应该使用另一种方式,例如不同的流程或授予类型?
答案 0 :(得分:3)
我想您的用户通过IS4服务器激活了ActivationCode。在这种情况下,您无需手动管理/生成access_token。
您只需要遵循与AccountController中的Login方法相同的过程即可,
使用登录名/密码检查用户,请验证您的ActivationCode
一旦用户确定,SignInManager会SignIn您的用户。 (instructions from the GDB Wiki)
引发UserLoginSuccessEvent事件。
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id, user.UserName, clientId: context?.Client.ClientId));
最终将用户重定向到您的Web应用。
return Redirect(model.ReturnUrl);
重定向到您的应用程序时,IdentityServer4会将其access_token发送给用户。
答案 1 :(得分:1)
我认为您需要做的就是,当用户确认激活码时,您将执行与以下内容相同的操作:
public async Task<IActionResult> Login(LoginInputModel model, string button) { }
在参考AccountController.cs类中找到。
答案 2 :(得分:0)
我终于像这样创建访问令牌:
[HttpPost("Activate")]
[AllowAnonymous]
public async Task<IActionResult> Activate([FromBody] SignUpPhoneModel model, [FromServices] ITokenService TS, [FromServices] IUserClaimsPrincipalFactory<JooyaIdentityUser> principalFactory, [FromServices] IdentityServerOptions options)
{
JooyaIdentityUser CurrentUser = await db.Users.Where(e => e.PhoneNumber == model.PhoneNumber).FirstOrDefaultAsync();
if (!await UserManager.VerifyChangePhoneNumberTokenAsync(CurrentUser, model.ActivationCode, model.PhoneNumber))
{
return BadRequest("Activation Code in not correct");
}
CurrentUser.PhoneNumberConfirmed = true;
await db.SaveChangesAsync();
await UserManager.UpdateSecurityStampAsync(CurrentUser);
var Request = new TokenCreationRequest();
var IdentityPricipal = await principalFactory.CreateAsync(CurrentUser);
var IdentityUser = new IdentityServerUser(CurrentUser.Id.ToString());
IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray();
IdentityUser.DisplayName = CurrentUser.UserName;
IdentityUser.AuthenticationTime = System.DateTime.UtcNow;
IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
Request.Subject = IdentityUser.CreatePrincipal();
Request.IncludeAllIdentityClaims = true;
Request.ValidatedRequest = new ValidatedRequest();
Request.ValidatedRequest.Subject = Request.Subject;
Request.ValidatedRequest.SetClient(SeedConfig.GetClients().Where(e => e.ClientId == model.ClientId).First());
List<ApiResource> Apis = new List<ApiResource>();
Apis.Add(SeedConfig.GetApis().Where(e => e.Name == "IdentityServerApi").First());
Apis.Add(SeedConfig.GetApis().Where(e => e.Name == model.ApiName).First());
Request.Resources = new Resources(SeedConfig.GetIdentityResources(), Apis);
Request.ValidatedRequest.Options = options;
Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims;
var Token = await TS.CreateAccessTokenAsync(Request);
Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value;
Token.Lifetime = 32000000;
var TokenValue = await TS.CreateSecurityTokenAsync(Token);
TokenModel tm = new TokenModel()
{
access_token = TokenValue
};
return Ok(tm);
}