我设法按照here的说明使用identityserver4对对ocelot的api调用进行身份验证,但是当请求到达目标服务时,授权标头似乎在那里,但是无法检查范围,声明等。
从我的SPA发出对/ test / weatherforecast进行身份验证的呼叫时,我会在ocelot日志中得到此消息:
Request starting HTTP/2 OPTIONS https://localhost:5005/test/weatherforecast
[11:35:59 INF] Request starting HTTP/2 OPTIONS https://localhost:5005/test/weatherforecast <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
CORS policy execution successful.
[11:35:59 INF] CORS policy execution successful. <s:Microsoft.AspNetCore.Cors.Infrastructure.CorsService>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 41.902ms 204
[11:35:59 INF] Request finished in 41.902ms 204 <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 GET https://localhost:5005/test/weatherforecast application/json
[11:35:59 INF] Request starting HTTP/2 GET https://localhost:5005/test/weatherforecast application/json <s:Microsoft.AspNetCore.Hosting.Diagnostics>
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
CORS policy execution successful.
[11:35:59 INF] CORS policy execution successful. <s:Microsoft.AspNetCore.Cors.Infrastructure.CorsService>
info: Ocelot.RateLimit.Middleware.ClientRateLimitMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /{everything}
[11:35:59 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: EndpointRateLimiting is not enabled for /{everything} <s:Ocelot.RateLimit.Middleware.ClientRateLimitMiddleware>
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /test/weatherforecast is an authenticated route. AuthenticationMiddleware checking if client is authenticated
[11:35:59 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /test/weatherforecast is an authenticated route. AuthenticationMiddleware checking if client is authenticated <s:Ocelot.Authentication.Middleware.AuthenticationMiddleware>
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
Successfully validated the token.
[11:36:00 INF] Successfully validated the token. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler>
info: Ocelot.Authentication.Middleware.AuthenticationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: Client has been authenticated for /test/weatherforecast
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: Client has been authenticated for /test/weatherforecast <s:Ocelot.Authentication.Middleware.AuthenticationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: route is authenticated scopes must be checked
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: route is authenticated scopes must be checked <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: user scopes is authorised calling next authorisation checks
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: user scopes is authorised calling next authorisation checks <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
info: Ocelot.Authorisation.Middleware.AuthorisationMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /{everything} route does not require user to be authorised
[11:36:00 INF] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: /{everything} route does not require user to be authorised <s:Ocelot.Authorisation.Middleware.AuthorisationMiddleware>
warn: Ocelot.Requester.Middleware.HttpRequesterMiddleware[0]
requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: 401 (Unauthorized) status code, request uri: http://webapplication1/weatherforecast
[11:36:01 WRN] requestId: 0HM1QOO77J8KJ:00000003, previousRequestId: no previous request id, message: 401 (Unauthorized) status code, request uri: http://webapplication1/weatherforecast <s:Ocelot.Requester.Middleware.HttpRequesterMiddleware>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished in 1622.9384ms 401
[11:36:01 INF] Request finished in 1622.9384ms 401 <s:Microsoft.AspNetCore.Hosting.Diagnostics>
我的ocelot startup.cs
[...]
var authenticationProviderKey = "TestKey";
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(authenticationProviderKey, options =>
{
options.Authority = "https://identity";
options.ApiName = "myproject.api";
options.SupportedTokens = SupportedTokens.Both;
});
[...]
豹猫配置
{
"Routes": [
{
"ReRouteIsCaseSensitive": false,
"DownstreamPathTemplate": "/{everything}",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "webapplication1",
"Port": 80
}
],
"UpstreamPathTemplate": "/test/{everything}",
"AuthenticationOptions": {
"AuthenticationProviderKey": "TestKey",
"AllowedScopes": ["api"]
}
}
],
"GlobalConfiguration": {
// "BaseUrl": "https://api.mybusiness.com"
}
}
我的服务startup.cs
[...]
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://identity";
});
[...]
我的服务控制器
[ApiController]
[Authorize]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
[HttpGet]
public IEnumerable<WeatherForecast> Get()
{
[...default stuff...]
进行呼叫的用户还具有其他要求和角色,我尝试检查这些要求和角色,但是在服务控制器中,User为空