我需要一个网站来使用持票令牌验证其对API的请求。同一令牌可用于所有请求,因为站点是公共的,因此不需要用户登录。
我一直在使用来自AspNet.Security.OpenIdConnect.Samples和其他SO问题的mashup。
API Startup.cs
public void ConfigureServices(IServiceCollection services)
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
//add functionality similar to [ClaimsAuthorize("myclaim")]
.RequireClaim(ClaimTypes.Name)
.RequireClaim(ClaimTypes.NameIdentifier)
.Build();
services.AddCaching();
services.AddMvc(options =>
{
options.Filters.Add(new AuthenticationFilter(policy));
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
//Authorization
app.UseJwtBearerAuthentication(options => {
options.AutomaticAuthenticate = true;
options.Audience = "https://localhost:44380";
options.Authority = "https://localhost:44380";
});
// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer
(
configuration =>
{
configuration.TokenEndpointPath = "/login";
configuration.AllowInsecureHttp = false;
configuration.Provider = new AuthorizationServerProvider();
}
);
}
AuthorizationServerProvider
public override async Task GrantClientCredentials(GrantClientCredentialsContext context)
{
DbContext dbContext = context.HttpContext.RequestServices.GetRequiredService<DbContext>();
Client client = await dbContext.Clients.FirstAsync(x => x.Id == context.ClientId);
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.Name, client.Name));
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, context.ClientId));
AuthenticationTicket ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
context.Validated(ticket);
}
Client Startup.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseIISPlatformHandler();
app.UseStaticFiles();
//Used with TempData
app.UseSession();
app.UseOpenIdConnectAuthentication(options =>
{
options.AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.RequireHttpsMetadata = false;
// Note: these settings must match the application details
// inserted in the database at the server level.
options.ClientId = Configuration.Get<string>("Constants:ClientMvcId");
options.ClientSecret = Configuration.Get<string>("Constants:ClientMvcSecret");
// Use the authorization code flow.
options.ResponseType = OpenIdConnectResponseTypes.Code;
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
现在,当调用OnAuthorizationAsync
中的AuthenticationFilter
时,AuthorizationContext.HttpContext.User.Claims
为空,因此我无法检查这些值。