在上一篇中配置一個基礎的idrserver服務端
這篇文章將對服務端做一些變化,這里我先貼一下上一章中的代碼
證書:
static class Certificate { public static X509Certificate2 Get() { var assembly = typeof(Certificate).Assembly; using (var stream = assembly.GetManifestResourceStream("OAuthWeb.IdrConfig.idsrv3test.pfx")) { return new X509Certificate2(ReadStream(stream), "idsrv3test"); } } private static byte[] ReadStream(Stream input) { byte[] buffer = new byte[16 * 1024]; using (MemoryStream ms = new MemoryStream()) { int read; while ((read = input.Read(buffer, 0, buffer.Length)) > 0) { ms.Write(buffer, 0, read); } return ms.ToArray(); } } }
Clients:
public class Clients { public static IEnumerable<Client> Get() { return new[] { //js客戶端 new Client { Enabled = true, ClientName = "JS Client", ClientId = "js", Flow = Flows.Implicit, RedirectUris = new List<string> { "http://192.168.0.42:44319/Home/Contact" }, AllowedCorsOrigins = new List<string> { "http://localhost:20241" }, AllowAccessToAllScopes = true }, //客戶端模式(client credentials) new Client { ClientName = "Silicon-only Client", ClientId = "silicon", Enabled = true, AccessTokenType = AccessTokenType.Reference, Flow = Flows.ClientCredentials, ClientSecrets = new List<Secret> { new Secret("F621F470-9731-4A25-80EF-67A6F7C5F4B8".Sha256()) }, //指明該注冊client允許的scopes AllowedScopes = new List<string> { "api1" } }, //密碼模式(resource owner password credentials) new Client { ClientName = "Silicon on behalf of Carbon Client", ClientId = "carbon", Enabled = true, AccessTokenType = AccessTokenType.Reference, Flow = Flows.ResourceOwner, ClientSecrets = new List<Secret> { new Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) }, AllowedScopes = new List<string> { "api1" } }, //簡化模式(implicit) new Client { Enabled = true, ClientName = "SSO", ClientId = "mvc", Flow = Flows.Implicit, RequireConsent=false, ClientSecrets=new List<Secret> { new Secret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256()) }, AllowedScopes = new List<string> { Constants.StandardScopes.OpenId, Constants.StandardScopes.Profile } } }; } }
Scopes:
public class Scopes { public static List<Scope> Get() { return new List<Scope> { IdentityServer3.Core.Models.StandardScopes.OpenId, IdentityServer3.Core.Models.StandardScopes.Profile, //注冊一個新的scope,在注冊client時會指明只允許這個api1的scope,客戶端在請求token的時候會指明申請的scope new Scope { Name = "api1" } }; } }
users:
public class Users { public static List<InMemoryUser> Get() { return new List<InMemoryUser> { new InMemoryUser { Username = "bob", Password = "secret", Subject = "1", Claims = new[] { new Claim(Constants.ClaimTypes.GivenName, "Bob"), new Claim(Constants.ClaimTypes.FamilyName, "Smith"), new Claim(Constants.ClaimTypes.Email, "bob.smith@email.com") } }, new InMemoryUser { Username = "alice", Password = "secret", Subject = "2" } }; } }
結合上一章節貼了一些代碼,代碼中略有刪減
有了這個idrserver 怎么來做自己的SSO呢?
如我有一個網站A 需要IdrServer提供認證, 現在涉及到了OpenID
新建一個站點A 添加nuget包
Microsoft.Owin.Security.Cookies;
Microsoft.Owin.Security.OpenIdConnect;
Microsoft.Owin.Host.SystemWeb;
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies", }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = "http://192.168.0.42:10011/lym", //這里寫你idrserver的地址 ClientId = "mvc", //Client 要對應 Scope = "openid profile",//Client 要對應
RedirectUri = "http://192.168.0.42:44319/", //登陸成功后的跳轉地址,要對應
PostLogoutRedirectUri = "http://192.168.0.42:44319/", //如上
ClientSecret = "21B5F798-BE55-42BC-8AA8-0025B903DC3B",
ResponseType = "id_token token", //參考配置說明 還有授權碼 code
SignInAsAuthenticationType = "Cookies"
});
訪問站點A 就會轉到SSO登陸頁面如下圖:
我這里自己定義的登陸界面,可以修改成自己的樣式,風格,能看到登陸界面 說明這一步成功了,下一篇文章將介紹自定義登陸頁面的操作