我在IdentityServer4项目中使用.NET Core,在我的命令行中使用iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/IdentityServer/IdentityServer4.Quickstart.UI/release/get.ps1'))添加了IdentityServer4 UI依赖项。
这成功添加了UI默认值,但是从UI登录时,我只被重定向回IdentityServer4的登录页面。我注意到默认添加了一些CSP过滤器属性([SecurityHeaders])。
当我从我的Grants控制器中删除此属性时,我正如我想象的那样进入Grants页面,现在我知道这可以防止跨站点脚本和嗅探。
我的问题是我如何在其中使用SecurityHeadersAttribute,因为仍然成功重定向到Grants控制器以成功登录。
使用的测试数据
public static class ApiRecourses
{
public static IEnumerable<ApiResource> Get()
{
return new ApiResource[]
{
new ApiResource("testresource", "testresourcedisplayname")
};
}
}
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new Client[]
{
new Client
{
ClientId = "testclient",
ClientName = "testclientname",
ClientSecrets = new Secret[]
{
new Secret("secret".Sha256())
},
AllowedScopes = new List<string>() {"testresource"},
AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials
}
};
}
}
public static IEnumerable<TestUser> Get()
{
return new TestUser[]
{
new TestUser()
{
SubjectId = "1",
Username = "a@b.c",
Password = "password"
}
};
}
ConfigureServices
public void ConfigureServices(IServiceCollection services)
{
var pfxFilePath = Configuration.GetSection("Certificate:PfxFilePath");
var pfxFilePassword = Configuration.GetSection("Certificate:Password");
services.AddIdentityServer()
.AddSigningCredential(new X509Certificate2(pfxFilePath.Value, pfxFilePassword.Value))
.AddInMemoryClients(Clients.Get())
.AddInMemoryApiResources(ApiRecourses.Get())
.AddTestUsers(TestUsers.Get().ToList());
services.AddMvc();
}
配置
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseIdentityServer();
app.UseStaticFiles();
app.UseMvcWithDefaultRoute();
}