带有令牌的IdentityServer调用API已传递给MVC客户端并带有混合流

时间:2018-12-13 15:13:03

标签: c# asp.net-core identityserver4

所以我有以下项目的解决方案: -我的授权服务器(带有身份的身份服务器)的MVC -MVC客户端 -MVC API

我想要实现的目的是让用户在授权服务器的帮助下在MVC客户端中进行连接,然后使用提供的访问令牌来调用我的API。

所以我有以下配置:

授权服务器:

在Startup.cs中:

            // Add Identity Server 4
        services.AddIdentityServer()
            .AddSigningCredential(cert)
            .AddInMemoryPersistedGrants()
            .AddClientStore<ClientStore>()
            .AddResourceStore<ResourceStore>()
            .AddAspNetIdentity<User>();

        services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
        {
            microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
            microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
        });

客户端的配置:

new Client
            {
                ClientId = "EchinoManagerMVC",
                ClientName = "MVC for Echino Manager",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                ClientSecrets =
                {
                    new Secret("EchinoManagerMVCSecret".Sha256())
                },

                // where to redirect to after login
                RedirectUris = { "https://localhost:44380/signin-oidc" },

                // where to redirect to after logout
                PostLogoutRedirectUris = { "https://localhost:44380/signout-callback-oidc" },

                AllowedScopes = new List<string>
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "echinomanagerapi"
                },
                AllowOfflineAccess = true,
                AlwaysIncludeUserClaimsInIdToken = true,
                AlwaysSendClientClaims = true,
                RequireConsent = false
            }

我的APIResource:

                new ApiResource
            {
                Name = "EchinoManagerAPI",
                ApiSecrets =
                {
                    new Secret("EchinoManagerAPISecret".Sha256())
                },

                UserClaims =
                {
                    JwtClaimTypes.Email
                },

                Scopes =
                {
                    new Scope()
                    {
                        Name = "echinomanagerapi",
                        DisplayName = "Access to the API of Echino Manager"
                    }
                }
            }

在我的MVC客户端中:

Startup.cs:

public void ConfigureServices(IServiceCollection services)
    {
        services.Configure<CookiePolicyOptions>(options =>
        {
            // This lambda determines whether user consent for non-essential cookies is needed for a given request.
            options.CheckConsentNeeded = context => true;
            options.MinimumSameSitePolicy = SameSiteMode.None;
        });

        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("Cookies")
        .AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];

            options.ClientId = Configuration["ApplicationOptions:ClientId"];
            options.ClientSecret = Configuration["ApplicationOptions:ClientSecret"];
            options.ResponseType = "code id_token";
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("echinomanagerapi");
            options.Scope.Add("offline_access");
        });

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
    }

在我的控制器中调用API:

    [Authorize]
public class TenantController : Controller
{
    public async Task<IActionResult> Index()
    {
        var accessToken = await HttpContext.GetTokenAsync("access_token");

        var client = new HttpClient();

        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

        //var content = await client.GetStringAsync("https://loginservices.echino2.p.azurewebsites.net/echinoapi/tenant");
        //var content = await client.GetStringAsync("https://localhost:44366/echinoapi/tenant");
        var content = await client.GetStringAsync("https://localhost:44300/api/values");

        ViewBag.Json = JArray.Parse(content).ToString();
        return View();
    }
}

在我的MVC API中:

        public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

        services.AddAuthorization();

        services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
            options.ApiName = Configuration["ApplicationOptions:ApiName"];
            options.ApiSecret = Configuration["ApplicationOptions:ApiSecret"];
        });
    }

控制器:

    [Route("api/[controller]")]
[ApiController]
[Authorize(AuthenticationSchemes = "Bearer")]
public class ValuesController : ControllerBase
{
    // GET api/values
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        return new string[] { "value1", "value2" };
    }

    // GET api/values/5
    [HttpGet("{id}")]
    public ActionResult<string> Get(int id)
    {
        return "value";
    }
}

因此,当我启动解决方案并在MVC客户端中访问/ tenant时,会将我重定向到必须登录的授权服务器,然后重新进入MVC客户端。这部分工作正常。

但是我对API的调用返回了未经授权的401。

我检查了我的租户控制器中是否有访问令牌,例如:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjJFMzdFNzQ5N0RCODI4QzRFNzdFQUI4NTE4MDU3OUZGQ0IwMDgwMTAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJMamZuU1gyNEtNVG5mcXVGR0FWNV84c0FnQkEifQ.eyJuYmYiOjE1NDQ3MDQ1OTksImV4cCI6MTU0NDcwODE5OSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQiLCJhdWQiOlsiaH​​R0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQvcmVzb3VyY2VzIiwiRWNoaW5vTWFuYWdlckFQSSJdLCJjbGllbnRfaWQiOiJFY2hpbm9NYW5hZ2VyTVZDIiwic3ViIjoiNWMxMjMyZTIzYWExODE3MGVjYTJmMjdlIiwiYXV0aF90aW1lIjoxNTQ0NzA0NTk5LCJpZHAiOiJsb2NhbCIsImVtYWlsIjoic3RlcGhhbmUubWFydGlnbmllcjFAd2l0Y2hsYWtlLmNoIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImVjaGlub21hbmFnZXJhcGkiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsicHdkIl19.g61xKFcROTDuw_rmFWLHKSoJIIhyzzil-hPK44PvCioKVeeKB3ZrKtmNvw0aa240e_6Y6X2r3QZ2CR0V3T-lZmAJeIm0oN8MznUNjKB-h5FxxVvwwnbBU3_HYS5fNIl6XhKeOZGsIU-ZNBYBZ3FrDwrLPm3uHXVYyCQ5X1ZAldjV1HJ_th6T-PEdQozHZn37EXcqakU4uY1RpiT_ZEMFnllXWZVFBYCEy3OsOmAv5NlD5jkUp2XeuCoQ5vsT1XhO2Qkj5HS398MmJp0wObs-V1dUz2iKVjbQzo3eHZo3lsEiqKfg5lpTxrQHm07sGuyB84utuPYrKFCI_4nkeHF9tM9SEF1Au0DbD2O2nWYUoxa7RjFlMLxOu 1uH6FNLYzBlbhbPsB9rhLK0byySmZM5bAaVHC4e71iyI2ZHJJx_K7VuHkAmqoraJ5KtcJB-zAdkKserdUc7xcPI9scIQpGf28EdrWG_xKUc1OjjtvZApJmKiDc7REFGiAIRA6xm20PSaySEyrQjb2nQxDer9f04bBhignb02NRC_n8sLciw7cOM4yVBW5FKHj_7jCTzU6U1XY65-UX0z_pKkvrxtqJpRl8JexEU7c6XQ6FcCwXB6TKxhZ7NzjgS6vmSMRXrEBEgtnWqrZv5A_sA7yhVeLHbSfx94nPUc4ru6POWbSzFja8

(使用JWT.io查看内容)。

显然我的验证受众存在问题,因为在我的日志中可以找到:

“受众群体验证失败。受众群体:'https://localhost:44334/resources,EchinoManagerAPI。不匹配:validationParameters.ValidAudience:'EchinoManagerMVC'或validationParameters.ValidAudiences:'null'。”

所以我的问题是:我的配置中缺少什么,因此我可以使用授权服务器提供的access_token来调用我的API?

预先感谢

1 个答案:

答案 0 :(得分:0)

这里有同样的问题,但是你可以代替

.AddIdentityServerAuthentication(options =>
    {
        options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
        options.ApiName = Configuration["ApplicationOptions:ApiName"];
        options.ApiSecret = Configuration["ApplicationOptions:ApiSecret"];
    });

使用

     .AddJwtBearer(options =>
        {
            options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
            options.RequireHttpsMetadata = false;
            options.Audience = "api1";
        });
相关问题
最新问题