授權服務器設置
添加用戶
添加測試用戶,也可以從數據庫查
public static List<TestUser> GetTestUser() { return new List<TestUser>() { new TestUser(){ SubjectId = "1", Username ="zps", Password = "zps", Claims = new List<Claim>(){ new Claim("role","zps"), new Claim("aaa","asdasdsd"), } }, new TestUser(){ SubjectId = "2", Username ="admin", Password = "admin", Claims = new List<Claim>(){ new Claim("role","admin") } } }; }
添加Api資源
添加api資源 ,api的key要和注冊的client的api要匹配
public static IEnumerable<ApiResource> GetResource() { return new List<ApiResource>(){ new ApiResource("api","my api") }; }
添加客戶端
- 客戶端模式
- 密碼模式
- 授權碼模式
- 混合模式
授權碼模式和mvc模式的時候 這兩個模式先不管
//請求確認
RequireConsent = false, 這個屬性要注意 如果是true 會先跳轉到確認頁面 然后再跳轉到RedirectUris
public static IEnumerable<Client> GetClients() { return new List<Client>(){ new Client(){ ClientId="client", //客戶端模式 AllowedGrantTypes=GrantTypes.ClientCredentials, ClientSecrets={new Secret("secret".Sha256())}, AllowedScopes={"api"} }, new Client(){ ClientId="pwdClient", //OAuth密碼模式 AllowedGrantTypes=GrantTypes.ResourceOwnerPassword, ClientSecrets={new Secret("secret".Sha256())}, AllowedScopes={"api"} }, new Client { ClientId = "mvc", ClientName = "MVC Client", AllowedGrantTypes = GrantTypes.Hybrid, ClientSecrets = { new Secret("secret".Sha256()) }, // where to redirect to after login RedirectUris = { "http://localhost:5001/signin-oidc" }, RequireConsent = false, AllowOfflineAccess = true, // where to redirect to after logout PostLogoutRedirectUris = { "http://localhost:5001/signout-callback-oidc" }, AllowedScopes = new List<string> { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, } }, new Client { ClientId = "js", ClientName = "JavaScript Client", AllowedGrantTypes = GrantTypes.Code, RequirePkce = true, RequireClientSecret = false, RedirectUris = { "http://localhost:5003/callback.html" }, PostLogoutRedirectUris = { "http://localhost:5003/index.html" }, AllowedCorsOrigins = { "http://localhost:5003" }, RequireConsent = false, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "api" } } }; }
添加IdentityServer 保護的資源
可以自定義Claim
public static IEnumerable<IdentityResource> GetIdentityResources() { return new IdentityResource[] { new IdentityResources.OpenId(), new IdentityResources.Profile(), }; }
把identityserver注入到容器
.AddDeveloperSigningCredential() 生成token 需要的密鑰和公鑰 正式環境需要換成正經的
o.UserInteraction.LoginUrl = "/Auth/Login";
o.UserInteraction.LogoutUrl = "/Auth/Logout";
o.UserInteraction.ErrorUrl = "/Auth/Error";
這三個是混合模式需要的 登錄的地址 登出的地址 授權失敗的地址
services.AddIdentityServer(o => { o.UserInteraction.LoginUrl = "/Auth/Login"; o.UserInteraction.LogoutUrl = "/Auth/Logout"; o.UserInteraction.ErrorUrl = "/Auth/Error"; }) .AddInMemoryIdentityResources(Config.GetIdentityResources()) .AddDeveloperSigningCredential() .AddInMemoryClients(Config.GetClients()) .AddInMemoryApiResources(Config.GetResource()) .AddTestUsers(Config.GetTestUser());
Configure把中間件加到netcore中
app.UseIdentityServer();
postman測試
- grant-type:密碼模式對應 password
- username 用戶名
- password 密碼
- client_id 客戶端id 對應 授權服務ClientId
- client_secret 客戶端secret
