将用户声明传递给下游(辅助)API?

时间:2018-09-10 06:40:50

标签: asp.net-core-2.0 identityserver4

我尝试搜索,但是令人惊讶地找不到我的问题的答案。

我正在设计一个Web应用程序,该应用程序将通过Angular具有一个前端接口,并带有多个下游API。如下所示:

 [API - A Client] -> [API - A] -> [API - B]

我正在使用IdentityServer4进行身份验证/授权。某些用户会有一个特定的声明,将其称为“ Foo”,并且在通过SPA客户端与API A进行交互时,该声明会从身份验证服务器正确传递到API A(使用隐式流)。

但是,我无法从API A传递到使用客户端凭据的APIB。根据我的阅读/研究,这似乎是正确的行为,因为它具有客户端凭据流。

所以我的问题是,如何将用户声明(“ Foo”)传递到第二层API(API-B)的下游?我需要使用其他流程吗? API-A是否应该将其随请求一起手动传递给API-B?

这是我第一次使用IdentityServer / OpenID connect / OAuth,我可以接受更改。

IdentityServer4配置

public class Config
{
    public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {
            new ApiResource("API-B", "API B")
            {
                UserClaims = { "Foo" }
            },
            new ApiResource("API-A", "API A")
            {
                ApiSecrets = {new Secret("Secret") },
                UserClaims = { "Foo",  },
            }
        };
    }

    public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
        {
            new Client
            {
                ClientName = "API-A Client",
                ClientId = "API-A_client",
                AllowedGrantTypes = GrantTypes.Implicit,

                RedirectUris = { "http://localhost:7900/swagger/oauth2-redirect.html" },
                PostLogoutRedirectUris = { "http://localhost:7900/" },

                RequireConsent = false,
                AllowAccessTokensViaBrowser = true,

                AllowedScopes = new List<string>(){
                    "API-A",
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile
                }
            },

            new Client
            {
                ClientName = "API-A Backend",
                ClientId = "API-A_backend",
                AllowedGrantTypes = GrantTypes.ClientCredentials,

                ClientSecrets = {new Secret("Secret".Sha256()) },

                AllowedScopes = new List<string>()
                {
                    "API-B",
                    "custom_resource",
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile
                },
                AlwaysIncludeUserClaimsInIdToken = true,
                AlwaysSendClientClaims = true,
            }
        };
    }

    public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Profile(),
            new IdentityResource("custom_resource", new [] { "Foo" }),
        };
    }
}

API A身份验证配置

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:6900";
                options.ApiName = "API-A";
                options.RequireHttpsMetadata = false; // dev only!
            });
services.AddTransient<AccessTokenDelegatingHandler>((service) => new AccessTokenDelegatingHandler(tokenEndpoint: $"http://localhost:6900/connect/token", clientId: "API-A", clientSecret: "Secret", scope: "API-B"));

        services.AddHttpClient<ApiBHttpClient>(client =>
        {
            client.BaseAddress = new Uri(Configuration["ApiBUri"]);
            client.DefaultRequestHeaders.Add("Accept", "application/json");
        })
        .AddHttpMessageHandler<AccessTokenDelegatingHandler>();

API B身份验证配置

    services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:6900";
                options.ApiName = "API-B"; // required audience of access tokens
                options.RequireHttpsMetadata = false; // dev only!
                options.ApiSecret = "Secret";
            });

上面的结果是API-A可以通过IdentityClaims正确访问“ Foo”,但是API-B不能(尽管调用成功)。

感谢您的帮助!

1 个答案:

答案 0 :(得分:1)

最终找到了这个GitHub页面,询问了相同的问题:https://github.com/IdentityServer/IdentityServer4/issues/1679

在这里,有关扩展授权的问题,http://docs.identityserver.io/en/release/topics/extension_grants.html是我的确切情况。