Front是React + Redux。返回的是.net Core 2.1 Web API
使用KeyCloak作为SSO。通过OpenId Connect连接。
使用this文章作为我的代码的基础。
这是我的配置。
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
options.DefaultSignOutScheme =
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
)
.AddJwtBearer(options =>
{
options.Audience = "serviceName";
options.Authority = "http://meycloakserver/auth/realms/myrealm";
options.RequireHttpsMetadata = false;
options.SaveToken = true;
options.IncludeErrorDetails = true;
options.Events = new JwtBearerEvents
{
OnAuthenticationFailed = (context) =>
{
context.NoResult();
context.Response.StatusCode = 401;
context.Response.ContentType = "application/json";
return context.Response.WriteAsync(
JsonConvert.SerializeObject(new ApiResponse(401, null, null)));
}
};
});
对于不带有承载令牌的请求,响应为401未经授权。没关系。 响应示例JSON:
{
"code": 401,
"message": "Unauthorized",
"payload": null,
"success": false
}
我想自动生成我的keycloak服务器的身份验证URL并将其发送到客户端应用程序,以便它可以将用户重定向到其登录页面。
如果我使用这样的cookie身份验证:
services.AddAuthentication(options => ... )
.AddCookie("Cookies")
.AddOpenIdConnect(options => ... )
对于所有未授权的请求,它将重定向到有效的keycloak登录页面。因此它可以自动执行。
http://meycloakserver/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myservice&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fsignin-oidc&response_type=code&scope=openid%20profile&response_mode=form_post&nonce=636717449970904820.YjEzYWJkYTQtNGNmNy00ODc1LTllODEtMmE1NWU4MTUyMjFkODAzMzVmMjQtYjFjZC00OTdhLWEzZDMtMjBmMWM0MjM0N2Uw&state=CfDJ8EPjlwagOs9DsswIsauVFivnRIzrMmY50C1_3kT4IBGT1r4y3Z5r0uBGQ6Hg1QiqtygIR19YfssAuHwAT1L9xRm_ssrNJbBZ8j2V0vBRLvXQH5ibxvcIQVW4sfT2r8K5Vfl2na7BwqH8RKqqG8hoWzwaIYGecCSkJyKi-HXHYJLHljx6u7Udxu3RAXss3qXFgG-jVddwCkwRmxmNDUJc_3KsCIpqVWKcep8FVwtkk8YC_gTWO1Z862tuv8bvbjouvD88YkRsqBX4tc-RRuG-rB2z8zNDtwiWPpmDiz45SL2Q4HxZcLYwO_RUovwMnLof5WFsUSH-zmKzD_4IHSWJx2E&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0