前言
開發授權服務框架一般使用OAuth2.0授權框架,而開發Webapi的授權更應該使用OAuth2.0授權標准,OAuth2.0授權框架文檔說明參考:https://tools.ietf.org/html/rfc6749
.NET Core開發OAuth2.0的項目需要使用IdentityServer4,可參考:https://identityserver4.readthedocs.io/en/dev/
IdentityServer4源碼:https://github.com/IdentityServer
如果在.NET中開發OAuth2.0的項目可使用OWIN,可參考實例源碼:https://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
實現ResourceOwnerPassword和client credentials模式:
授權服務器:
Program.cs --> Main方法中:需要調用UseUrls設置IdentityServer4授權服務的IP地址
1 var host = new WebHostBuilder() 2 .UseKestrel() 3 //IdentityServer4的使用需要配置UseUrls 4 .UseUrls("http://localhost:4537") 5 .UseContentRoot(Directory.GetCurrentDirectory()) 6 .UseIISIntegration() 7 .UseStartup<Startup>() 8 .Build();
Startup.cs -->ConfigureServices方法中:
1 //RSA:證書長度2048以上,否則拋異常 2 //配置AccessToken的加密證書 3 var rsa = new RSACryptoServiceProvider(); 4 //從配置文件獲取加密證書 5 rsa.ImportCspBlob(Convert.FromBase64String(Configuration["SigningCredential"])); 6 //IdentityServer4授權服務配置 7 services.AddIdentityServer() 8 .AddSigningCredential(new RsaSecurityKey(rsa)) //設置加密證書 9 //.AddTemporarySigningCredential() //測試的時候可使用臨時的證書 10 .AddInMemoryScopes(OAuth2Config.GetScopes()) 11 .AddInMemoryClients(OAuth2Config.GetClients()) 12 //如果是client credentials模式那么就不需要設置驗證User了 13 .AddResourceOwnerValidator<MyUserValidator>() //User驗證接口 14 //.AddInMemoryUsers(OAuth2Config.GetUsers()) //將固定的Users加入到內存中 15 ;
Startup.cs --> Configure方法中:
1 //使用IdentityServer4的授權服務 2 app.UseIdentityServer();
Client配置
在Startup.cs中通過AddInMemoryClients(OAuth2Config.GetClients())設置到內存中,配置:
1 new Client 2 { 3 //client_id 4 ClientId = "pwd_client", 5 //AllowedGrantTypes = new string[] { GrantType.ClientCredentials }, //Client Credentials模式 6 AllowedGrantTypes = new string[] { GrantType.ResourceOwnerPassword }, //Resource Owner Password模式 7 //client_secret 8 ClientSecrets = 9 { 10 new Secret("pwd_secret".Sha256()) 11 }, 12 //scope 13 AllowedScopes = 14 { 15 "api1", 16 //如果想帶有RefreshToken,那么必須設置:StandardScopes.OfflineAccess 17 //如果是Client Credentials模式不支持RefreshToken的,就不需要設置OfflineAccess 18 StandardScopes.OfflineAccess.Name, 19 }, 20 //AccessTokenLifetime = 3600, //AccessToken的過期時間, in seconds (defaults to 3600 seconds / 1 hour) 21 //AbsoluteRefreshTokenLifetime = 60, //RefreshToken的最大過期時間,in seconds. Defaults to 2592000 seconds / 30 day 22 //RefreshTokenUsage = TokenUsage.OneTimeOnly, //默認狀態,RefreshToken只能使用一次,使用一次之后舊的就不能使用了,只能使用新的RefreshToken 23 //RefreshTokenUsage = TokenUsage.ReUse, //可重復使用RefreshToken,RefreshToken,當然過期了就不能使用了 24 }
Scope設置
在Startup.cs中通過AddInMemoryScopes(OAuth2Config.GetScopes())設置到內存中,配置:
1 public static IEnumerable<Scope> GetScopes() 2 { 3 return new List<Scope> 4 { 5 new Scope 6 { 7 Name = "api1", 8 Description = "My API", 9 }, 10 //如果想帶有RefreshToken,那么必須設置:StandardScopes.OfflineAccess 11 StandardScopes.OfflineAccess, 12 }; 13 }
賬號密碼驗證
Resource Owner Password模式需要對賬號密碼進行驗證(如果是client credentials模式則不需要對賬號密碼驗證了):
方式一:將Users加入到內存中,IdentityServer4從中獲取對賬號和密碼進行驗證:
.AddInMemoryUsers(OAuth2Config.GetUsers())
方式二(推薦):實現IResourceOwnerPasswordValidator接口進行驗證:
.AddResourceOwnerValidator<MyUserValidator>()
IResourceOwnerPasswordValidator的實現:
1 public class MyUserValidator : IResourceOwnerPasswordValidator 2 { 3 public Task ValidateAsync(ResourceOwnerPasswordValidationContext context) 4 { 5 if (context.UserName == "admin" && context.Password == "123") 6 { 7 //驗證成功 8 //使用subject可用於在資源服務器區分用戶身份等等 9 //獲取:資源服務器通過User.Claims.Where(l => l.Type == "sub").FirstOrDefault();獲取 10 context.Result = new GrantValidationResult(subject: "admin", authenticationMethod: "custom"); 11 } 12 else 13 { 14 //驗證失敗 15 context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid custom credential"); 16 } 17 return Task.FromResult(0); 18 } 19 }
設置加密證書
通過AddSigningCredential方法設置RSA的加密證書(注意:默認是使用臨時證書的,就是AddTemporarySigningCredential(),無論如何不應該使用臨時證書,因為每次重啟授權服務,就會重新生成新的臨時證書),RSA加密證書長度要2048以上,否則服務運行會拋異常
Startup.cs -->ConfigureServices方法中的配置:
1 //RSA:證書長度2048以上,否則拋異常 2 //配置AccessToken的加密證書 3 var rsa = new RSACryptoServiceProvider(); 4 //從配置文件獲取加密證書 5 rsa.ImportCspBlob(Convert.FromBase64String(Configuration["SigningCredential"])); 6 services.AddIdentityServer() 7 .AddSigningCredential(new RsaSecurityKey(rsa)) //設置加密證書
如何生成RSA加密證書(將生成的PrivateKey配置到IdentityServer4中,可以設置到配置文件中):
1 using (RSACryptoServiceProvider provider = new RSACryptoServiceProvider(2048)) 2 { 3 //Console.WriteLine(Convert.ToBase64String(provider.ExportCspBlob(false))); //PublicKey 4 Console.WriteLine(Convert.ToBase64String(provider.ExportCspBlob(true))); //PrivateKey 5 }
資源服務器
Program.cs -> Main方法中:
1 var host = new WebHostBuilder() 2 .UseKestrel() 3 //IdentityServer4的使用需要配置UseUrls 4 .UseUrls("http://localhost:4823") 5 .UseContentRoot(Directory.GetCurrentDirectory()) 6 .UseIISIntegration() 7 .UseStartup<Startup>() 8 .Build();
Startup.cs --> Configure方法中的配置:
//使用IdentityServer4的資源服務並配置 app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions { Authority = "http://localhost:4537/", ScopeName = "api1", SaveToken = true, AdditionalScopes = new string[] { "offline_access" }, //添加額外的scope,offline_access為Refresh Token的獲取Scope RequireHttpsMetadata = false, });
需要進行授權驗證的資源接口(控制器或方法)上設置AuthorizeAttribute:
1 [Authorize] 2 [Route("api/[controller]")] 3 public class ValuesController : Controller
測試
resource owner password模式測試代碼:
1 public static void TestResourceOwnerPassword() 2 { 3 var client = new HttpClientHepler("http://localhost:4537/connect/token"); 4 string accessToken = null, refreshToken = null; 5 //獲取AccessToken 6 client.PostAsync(null, 7 "grant_type=" + "password" + 8 "&username=" + "admin" + 9 "&password=" + "123" + 10 "&client_id=" + "pwd_client" + 11 "&client_secret=" + "pwd_secret" + 12 "&scope=" + "api1 offline_access", //scope需要用空格隔開,offline_access為獲取RefreshToken 13 hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"), 14 rtnVal => 15 { 16 var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal); 17 accessToken = jsonVal.access_token; 18 refreshToken = jsonVal.refresh_token; 19 }, 20 fault => Console.WriteLine(fault), 21 ex => Console.WriteLine(ex)).Wait(); 22 23 if (!string.IsNullOrEmpty(refreshToken)) 24 { 25 //使用RefreshToken獲取新的AccessToken 26 client.PostAsync(null, 27 "grant_type=" + "refresh_token" + 28 "&client_id=" + "pwd_client" + 29 "&client_secret=" + "pwd_secret" + 30 "&refresh_token=" + refreshToken, 31 hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"), 32 rtnVal => Console.WriteLine("refresh之后的結果: \r\n" + rtnVal), 33 fault => Console.WriteLine(fault), 34 ex => Console.WriteLine(ex)).Wait(); 35 } 36 37 if (!string.IsNullOrEmpty(accessToken)) 38 { 39 //訪問資源服務 40 client.Url = "http://localhost:4823/api/values"; 41 client.GetAsync(null, 42 hd => hd.Add("Authorization", "Bearer " + accessToken), 43 rtnVal => Console.WriteLine("\r\n訪問資源服: \r\n" + rtnVal), 44 fault => Console.WriteLine(fault), 45 ex => Console.WriteLine(ex)).Wait(); 46 } 47 }
client credentials模式測試代碼:
1 public static void TestClientCredentials() 2 { 3 var client = new HttpClientHepler("http://localhost:4537/connect/token"); 4 string accessToken = null; 5 //獲取AccessToken 6 client.PostAsync(null, 7 "grant_type=" + "client_credentials" + 8 "&client_id=" + "credt_client" + 9 "&client_secret=" + "credt_secret" + 10 "&scope=" + "api1", //不要加上offline_access,因為Client Credentials模式不支持RefreshToken的,不然會授權失敗 11 hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"), 12 rtnVal => 13 { 14 var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal); 15 accessToken = jsonVal.access_token; 16 }, 17 fault => Console.WriteLine(fault), 18 ex => Console.WriteLine(ex)).Wait(); 19 20 if (!string.IsNullOrEmpty(accessToken)) 21 { 22 //訪問資源服務 23 client.Url = "http://localhost:4823/api/values"; 24 client.GetAsync(null, 25 hd => hd.Add("Authorization", "Bearer " + accessToken), 26 rtnVal => Console.WriteLine("訪問資源服: \r\n" + rtnVal), 27 fault => Console.WriteLine(fault), 28 ex => Console.WriteLine(ex)).Wait(); 29 } 30 }
注意
1.RefreshToken默認實現是存儲在內存中的,因此如果授權服務重啟了那么這些RefreshToken就清空了,也就無法通過RefreshToken獲取新的AccessToken了,那么需要實現IPersistedGrantStore接口對Refresh Token等等這些數據進行存儲到數據庫或者NoSql(Redis)中,如果實現IPersistedGrantStore接口可參考http://www.cnblogs.com/skig/p/AspNetCoreAuthCode.html中的源碼;
2.資源服務器在第一次解析AccessToken的時候會先到授權服務器獲取配置數據(例如會訪問:http://localhost:4537/.well-known/openid-configuration 獲取配置的,http://localhost:4537/.well-known/openid-configuration/jwks 獲取jwks)),之后解析AccessToken都會使用第一次獲取到的配置數據,因此如果授權服務的配置更改了(加密證書等等修改了),那么應該重啟資源服務器使之重新獲取新的配置數據;
3.調試IdentityServer4框架的時候應該配置好ILogger,因為授權過程中的訪問(例如授權失敗等等)信息都會調用ILogger進行日志記錄,可使用NLog,例如:
在Startup.cs --> Configure方法中配置:loggerFactory.AddNLog();//添加NLog
源碼:http://files.cnblogs.com/files/skig/OAuth2CredentialsAndPassword.zip