OpenIddict - 使用微服务进行授权和身份验证

时间:2017-10-26 14:22:22

标签: authentication microservices openiddict

我有一个移动(本机)和Web应用程序(SPA),它与后端微服务(在核心2.0中开发)进行通信,用于身份验证/授权以及使用Opendidict配置的其他域相关功能。这两个应用都获得了访问令牌。我正在努力的是,所有的微服务都应该接受在用户(中央授权服务)中记录的承载访问令牌和认证/授权,在auth微服务(OpenIddict 2. *)中生成的访问令牌。那么我在微服务中缺少哪些变化,其中REST API被标记为[授权]?

Auth Microservice的代码:

public void ConfigureServices(IServiceCollection services)
{
    var connection = Configuration.GetConnectionString("DefaultConnection");

    services.AddDbContext<IdentityDbContext>(options =>
    {
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
        options.UseOpenIddict();
    });

    services.AddAuthentication().AddOAuthValidation();

    services.AddOpenIddict(options =>
    {
        options.AddEntityFrameworkCoreStores<IdentityDbContext>();
        options.AddMvcBinders();
        options.EnableTokenEndpoint("/connect/token");
        // Enable the password flow.
        options.AllowPasswordFlow().AllowRefreshTokenFlow();
        options.SetRefreshTokenLifetime(TimeSpan.FromHours(1));
        options.DisableHttpsRequirement();
    });

    services.AddDbContext<AuthDbContext>(options => options.UseSqlServer(connection));
    services.AddScoped<IUserRepository, UserRepository>();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
    });
}

Notification Microservice中的现有代码

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<MastersDbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    services.AddAuthentication().AddOAuthValidation();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
    });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    app.UseCors(builder =>
        builder.WithOrigins("*")
            .AllowAnyHeader()
            .AllowAnyMethod()
            .AllowAnyOrigin()
    );

    //app.UseAntiforgeryToken();
    app.UseMvc();
    app.UseAuthentication();
}

通知控制器:

// POST api/values
[HttpPost]
[Authorize]
public IActionResult Post(Notification notification)
{
    //logic
    return Ok();
}

1 个答案:

答案 0 :(得分:0)

要使所有微服务正确解密令牌,您需要确保包含主密钥(由ASP.NET Core Data Protection派生以创建加密和验证密钥)的密钥环正确同步。此过程在此处描述:https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

以下是使用共享文件夹完成工作的示例:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
}

您还需要配置两个应用程序以使用相同的&#34;应用程序鉴别器&#34;:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
        .SetApplicationName("Your application name");
}
相关问题
最新问题