我尝试搜索,但是令人惊讶地找不到我的问题的答案。
我正在设计一个Web应用程序,该应用程序将通过Angular具有一个前端接口,并带有多个下游API。如下所示:
[API - A Client] -> [API - A] -> [API - B]
我正在使用IdentityServer4进行身份验证/授权。某些用户会有一个特定的声明,将其称为“ Foo”,并且在通过SPA客户端与API A进行交互时,该声明会从身份验证服务器正确传递到API A(使用隐式流)。
但是,我无法从API A传递到使用客户端凭据的APIB。根据我的阅读/研究,这似乎是正确的行为,因为它具有客户端凭据流。
所以我的问题是,如何将用户声明(“ Foo”)传递到第二层API(API-B)的下游?我需要使用其他流程吗? API-A是否应该将其随请求一起手动传递给API-B?
这是我第一次使用IdentityServer / OpenID connect / OAuth,我可以接受更改。
IdentityServer4配置
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("API-B", "API B")
{
UserClaims = { "Foo" }
},
new ApiResource("API-A", "API A")
{
ApiSecrets = {new Secret("Secret") },
UserClaims = { "Foo", },
}
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientName = "API-A Client",
ClientId = "API-A_client",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = { "http://localhost:7900/swagger/oauth2-redirect.html" },
PostLogoutRedirectUris = { "http://localhost:7900/" },
RequireConsent = false,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>(){
"API-A",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
},
new Client
{
ClientName = "API-A Backend",
ClientId = "API-A_backend",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = {new Secret("Secret".Sha256()) },
AllowedScopes = new List<string>()
{
"API-B",
"custom_resource",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
},
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true,
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResource("custom_resource", new [] { "Foo" }),
};
}
}
API A身份验证配置
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:6900";
options.ApiName = "API-A";
options.RequireHttpsMetadata = false; // dev only!
});
services.AddTransient<AccessTokenDelegatingHandler>((service) => new AccessTokenDelegatingHandler(tokenEndpoint: $"http://localhost:6900/connect/token", clientId: "API-A", clientSecret: "Secret", scope: "API-B"));
services.AddHttpClient<ApiBHttpClient>(client =>
{
client.BaseAddress = new Uri(Configuration["ApiBUri"]);
client.DefaultRequestHeaders.Add("Accept", "application/json");
})
.AddHttpMessageHandler<AccessTokenDelegatingHandler>();
API B身份验证配置
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:6900";
options.ApiName = "API-B"; // required audience of access tokens
options.RequireHttpsMetadata = false; // dev only!
options.ApiSecret = "Secret";
});
上面的结果是API-A可以通过IdentityClaims正确访问“ Foo”,但是API-B不能(尽管调用成功)。
感谢您的帮助!
答案 0 :(得分:1)
最终找到了这个GitHub页面,询问了相同的问题:https://github.com/IdentityServer/IdentityServer4/issues/1679
在这里,有关扩展授权的问题,http://docs.identityserver.io/en/release/topics/extension_grants.html是我的确切情况。