上一篇我們討論了客戶端為SPA在IdentityServer4中的授權碼流程,本篇繼續討論MVC應用中的IdentityServer4授權碼流程。
1.查看授權碼流程
與上篇類似,只是這次的客戶端換成MVC應用,其余步驟與方法都一樣,不贅述,參考【One by One系列】IdentityServer4(六)授權碼流程原理之SPA
抓包截圖如下
2.詳解IdentityServer4授權碼流程(MVC)
2.1 請求IdentityServer4的配置端點-獲取各項配置
請求
GET /.well-known/openid-configuration HTTP/1.1
Host: localhost:5001
User-Agent: Microsoft ASP.NET Core OpenIdConnect handler
Request-Id: |d8ea1673-480ea8a77b20fcf1.
響應
HTTP/1.1 200 OK
Server: Kestrel
{"issuer":"http://localhost:5001","jwks_uri":"http://localhost:5001/.well-known/openid-configuration/jwks","authorization_endpoint":"http://localhost:5001/connect/authorize","token_endpoint":"http://localhost:5001/connect/token","userinfo_endpoint":"http://localhost:5001/connect/userinfo","end_session_endpoint":"http://localhost:5001/connect/endsession","check_session_iframe":"http://localhost:5001/connect/checksession","revocation_endpoint":"http://localhost:5001/connect/revocation","introspection_endpoint":"http://localhost:5001/connect/introspect","device_authorization_endpoint":"http://localhost:5001/connect/deviceauthorization","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"scopes_supported":["openid","profile","api1","offline_access"],"claims_supported":["sub","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password","urn:ietf:params:oauth:grant-type:device_code"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"id_token_signing_alg_values_supported":["RS256"],"subject_types_supported":["public"],"code_challenge_methods_supported":["plain","S256"],"request_parameter_supported":true}
2.2 請求IdentityServer4-密鑰端點
請求
GET /.well-known/openid-configuration/jwks HTTP/1.1
Host: localhost:5001
User-Agent: Microsoft ASP.NET Core OpenIdConnect handler
Request-Id: |d8ea1673-480ea8a77b20fcf1.
響應
HTTP/1.1 200 OK
Server: Kestrel
{"keys":[{"kty":"RSA","use":"sig","kid":"768AC10B4A3728E20644058B6EDF5051","e":"AQAB","n":"p8rr99FmiZSoeCzEdThzdfX-XTPCRTXW43PftBuHEPS3CcUM2aRnVpthzyXoaxLb9tKCqOplnCRmIlVorRe1UG_MqrhOgRhD-jCftOyBtAgLg992Oh2i2_E-F62fsmcrvkwd6e31DS2QYAIKADYamkAlWjaBKVpqHYHEe40kHMTzgwg7-pqmQQUUViBlCOm19NC4szHfEJkIAa4MeO2S3Vmvc6vVniwggYshkWCIZDNHq3A5KaE0_z8-5RiM_ci37YqoVvfInx9hxnCzRHHsNoQJQldomQVe9kVXepHJPXfpNWa04RJr72ySAJIQSwNw9ZIjKyENjSLnH_RxYQ6fXQ","alg":"RS256"}]}
這兩步由Microsoft.AspNetCore.Authentication.OpenIdConnect內部請求
2.3 請求authorize端點
請求
GET /connect/authorize?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
響應
HTTP/1.1 302 Found
Server: Kestrel
Location: http://localhost:5001/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0
請求授權端點,除client_id,response_type,scope外的標准參數,還會攜帶code_challenge,code_challenge_method.響應302重定向登錄頁
2.4 重定向登錄頁
請求
GET /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Kestrel
Set-Cookie: .AspNetCore.Antiforgery.-IwGtD3QVi8=CfDJ8EvLzXx95NhOpTKk_JopLRC52AxoSRHn9ciblh7wwEnyoJI4hEVfPW8ZrSerXc81TOVLPDoIpIS4w4idShomXf2jiiUcgqYsCP6XaeH2i681CSh6xBc-uP1PI9cYvHuUdiMFC25Ig67pxU3pnNo4j0s; path=/; samesite=strict; httponly
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no" />
<title>IdentityServer4</title>
<link rel="icon" type="image/x-icon" href="/favicon.ico" />
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
<link rel="stylesheet" href="/lib/bootstrap/dist/css/bootstrap.min.css" />
<link rel="stylesheet" href="/css/site.css" />
</head>
<body>
<div class="nav-page">
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a href="/" class="navbar-brand">
<img src="/icon.png" class="icon-banner">
IdentityServer4
</a>
</nav>
</div>
<div class="container body-container">
<div class="login-page">
<div class="lead">
<h1>Login</h1>
<p>Choose how to login</p>
</div>
<div class="row">
<div class="col-sm-6">
<div class="card">
<div class="card-header">
<h2>Local Account</h2>
</div>
<div class="card-body">
<form action="" method="post">
<input type="hidden" id="ReturnUrl" name="ReturnUrl" value="/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0" />
<div class="form-group">
<label for="Username">Username</label>
<input class="form-control" placeholder="Username" autofocus type="text" data-val="true" data-val-required="The Username field is required." id="Username" name="Username" value="">
</div>
<div class="form-group">
<label for="Password">Password</label>
<input type="password" class="form-control" placeholder="Password" autocomplete="off" data-val="true" data-val-required="The Password field is required." id="Password" name="Password">
</div>
<div class="form-group">
<div class="form-check">
<input class="form-check-input" type="checkbox" data-val="true" data-val-required="The RememberLogin field is required." id="RememberLogin" name="RememberLogin" value="true">
<label class="form-check-label" for="RememberLogin">
Remember My Login
</label>
</div>
</div>
<button class="btn btn-primary" name="button" value="login">Login</button>
<button class="btn btn-secondary" name="button" value="cancel">Cancel</button>
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8EvLzXx95NhOpTKk_JopLRDTtcucnBzI1HMQFrP12uFbjXEoii8lxOgJo92xYvtcgba2unOgfrjPFfHEIvZUgOl1xF_SOI-8t7bVVb1Rf40U8yCL7sEpj9_ZTZBImUDXGxkryW_8FmBO8qQL8nOprI4" /><input name="RememberLogin" type="hidden" value="false"></form>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="/lib/jquery/dist/jquery.slim.min.js"></script>
<script src="/lib/bootstrap/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>
重定向至登錄頁,響應登錄頁html
2.5 登錄操作
請求
POST /Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1
Host: localhost:5001
Content-Type: application/x-www-form-urlencoded
ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0&Username=admin&Password=admin123456%21&button=login&__RequestVerificationToken=CfDJ8EvLzXx95NhOpTKk_JopLRDTtcucnBzI1HMQFrP12uFbjXEoii8lxOgJo92xYvtcgba2unOgfrjPFfHEIvZUgOl1xF_SOI-8t7bVVb1Rf40U8yCL7sEpj9_ZTZBImUDXGxkryW_8FmBO8qQL8nOprI4&RememberLogin=false
響應
HTTP/1.1 302 Found
Server: Kestrel
Location: /connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
Set-Cookie: idsrv.session=AF3EB53184951E2E7E8748B7AB0118E2; path=/; samesite=none
Set-Cookie: idsrv=CfDJ8EvLzXx95NhOpTKk_JopLRDcizx-_TS8GrKeHvXLpVBeXxi00r1ZJV6x26_-b8wbj3fBuAovCy-d-MlZ2A23E7gszaRru1rjf2erNXLwdGBf5rhZVchSzTzfhYM8fCiu6g6_TI3StO88A91t18AfWt3509ZUKl9ZmJ4PYnQ8SehoIBpgESO7Z25k839FNUq9VN8jnzEzuy7kGDasL0vQs9C6Ol2KRYLGoGZUDNfnrNB9jPztG2f4dgHMXPc07Uhsxl_e3PKHB2YUBk6jy0xgRS0QNRwdmk5jFbYrxjJhj6TWVQ9omKOED2sCpqQVmUhJIpxiIYGeRsccXlMNMx5hJ0fSa_Gxwp-acGo5Uk8P-H-4MW60VCOJob2HoNMYkOR0coWHtbZWWQjLfYZ8ooB_Www2VyYJ2mcEt-WFQZkFjxUAc7Co9AtkO7WxYqqqbaJcV2oBCOzQPNlZlkQ3MzXT9bLBrZidWJfcxMi3GU2GArZix-8xDqzTWu-2cQVffvdUZgg_xOc4r71QPd9IzBJ-O2c; path=/; samesite=none; httponly
登錄操作,在原有的參數基礎上,增加Username,Password,Post提交,響應302重定向,並Set-Cookie
2.6 重定向至授權回調
請求
GET /connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1
Host: localhost:5001
響應
HTTP/1.1 302 Found
Server: Kestrel
Location: http://localhost:5001/consent?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0
authorize授權認證成功回調,重定向consent頁面
2.7 請求授權選擇頁面
請求
GET /consent?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Kestrel
Referrer-Policy: no-referrer
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no" />
<title>IdentityServer4</title>
<link rel="icon" type="image/x-icon" href="/favicon.ico" />
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
<link rel="stylesheet" href="/lib/bootstrap/dist/css/bootstrap.min.css" />
<link rel="stylesheet" href="/css/site.css" />
</head>
<body>
<div class="nav-page">
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a href="/" class="navbar-brand">
<img src="/icon.png" class="icon-banner">
IdentityServer4
</a>
<ul class="navbar-nav mr-auto">
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown">admin <b class="caret"></b></a>
<div class="dropdown-menu">
<a class="dropdown-item" href="/Account/Logout">Logout</a>
</div>
</li>
</ul>
</nav>
</div>
<div class="container body-container">
<div class="page-consent">
<div class="lead">
<h1>
mvc
<small class="text-muted">is requesting your permission</small>
</h1>
<p>Uncheck the permissions you do not wish to grant.</p>
</div>
<div class="row">
<div class="col-sm-8">
</div>
</div>
<form action="/Consent" method="post">
<input type="hidden" id="ReturnUrl" name="ReturnUrl" value="/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0" />
<div class="row">
<div class="col-sm-8">
<div class="form-group">
<div class="card">
<div class="card-header">
<span class="glyphicon glyphicon-user"></span>
Personal Information
</div>
<ul class="list-group list-group-flush">
<li class="list-group-item">
<label>
<input class="consent-scopecheck"
type="checkbox"
name="ScopesConsented"
id="scopes_openid"
value="openid"
checked="checked"
disabled="disabled" />
<input type="hidden"
name="ScopesConsented"
value="openid" />
<strong>Your user identifier</strong>
</label>
<span><em>(required)</em></span>
</li>
<li class="list-group-item">
<label>
<input class="consent-scopecheck"
type="checkbox"
name="ScopesConsented"
id="scopes_profile"
value="profile"
checked="checked" />
<strong>User profile</strong>
<span class="glyphicon glyphicon-exclamation-sign"></span>
</label>
<div class="consent-description">
<label for="scopes_profile">Your user profile information (first name, last name, etc.)</label>
</div>
</li>
</ul>
</div>
</div>
<div class="form-group">
<div class="card">
<div class="card-header">
<span class="glyphicon glyphicon-tasks"></span>
Application Access
</div>
<ul class="list-group list-group-flush">
<li class="list-group-item">
<label>
<input class="consent-scopecheck"
type="checkbox"
name="ScopesConsented"
id="scopes_api1"
value="api1"
checked="checked" />
<strong>My API</strong>
</label>
</li>
</ul>
</div>
</div>
<div class="form-group">
<div class="card">
<div class="card-header">
<span class="glyphicon glyphicon-tasks"></span>
Description
</div>
<div class="card-body">
<input class="form-control" placeholder="Description or name of device" autofocus type="text" id="Description" name="Description" value="">
</div>
</div>
</div>
<div class="form-group">
<div class="form-check">
<input class="form-check-input" type="checkbox" checked="checked" data-val="true" data-val-required="The RememberConsent field is required." id="RememberConsent" name="RememberConsent" value="true">
<label class="form-check-label" for="RememberConsent">
<strong>Remember My Decision</strong>
</label>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col-sm-4">
<button name="button" value="yes" class="btn btn-primary" autofocus>Yes, Allow</button>
<button name="button" value="no" class="btn btn-secondary">No, Do Not Allow</button>
</div>
<div class="col-sm-4 col-lg-auto">
</div>
</div>
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8EvLzXx95NhOpTKk_JopLRA54swTWpkQLVRbM-dBtBN-4-PMbI27cIZqWHDqHMrqBo_PwvHJZK5uz7G7KwTauALmI5jX8fFuliNia3GO1WhWAXTwWSBmlHAlwHWNybM70wK9JlQYmW4QBMdduJn3x07Fh0urqzSIk3jrYdJTZ4TI3qrLx1DIp7s9H_CnkzBaJg" /><input name="RememberConsent" type="hidden" value="false"></form>
</div>
</div>
<script src="/lib/jquery/dist/jquery.slim.min.js"></script>
<script src="/lib/bootstrap/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>
驗證用戶名、密碼,服務端cookie已設置,驗證成功,再次響應302,重定向consent頁面,讓用戶確認是否同意授權,即相關api資源的授權勾選。
2.8 同意授權
請求
POST /Consent HTTP/1.1
Host: localhost:5001
Content-Type: application/x-www-form-urlencoded
ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A6002%252Fsignin-oidc%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api1%26code_challenge%3DvDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM%26code_challenge_method%3DS256%26response_mode%3Dform_post%26nonce%3D637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4%26state%3DCfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D5.5.0.0&ScopesConsented=openid&ScopesConsented=profile&ScopesConsented=api1&Description=&RememberConsent=true&button=yes&__RequestVerificationToken=CfDJ8EvLzXx95NhOpTKk_JopLRA54swTWpkQLVRbM-dBtBN-4-PMbI27cIZqWHDqHMrqBo_PwvHJZK5uz7G7KwTauALmI5jX8fFuliNia3GO1WhWAXTwWSBmlHAlwHWNybM70wK9JlQYmW4QBMdduJn3x07Fh0urqzSIk3jrYdJTZ4TI3qrLx1DIp7s9H_CnkzBaJg&RememberConsent=false
響應
HTTP/1.1 302 Found
Server: Kestrel
Location: /connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0
Set-Cookie: ConsentResponse.CBQAI6quFiONZvGmAvFsFStkleTmRdoaVXSd3xSOzGQ=CfDJ8EvLzXx95NhOpTKk_JopLRAunDGUnaFsACxZxmiqGGd2CONUYTggvUQOJqL-slVk9CjrFedMxPiMdDVN8Gr0dk1bpdbqOjTPEkVJeeslUFjBvtwk7M3cqkTaFgfcgPsTaixC3CRnCEyKTTVx5mswVWXRLX4gP84hx8LH1ummLDfP3RXx4OvvNIWbhQJmvnMU1V63vTP6i1ANRrOiPVKeBA9-yW8nYOj3v61D4WYKtWZkaN-GMIIaIKVOQLcvuOwgMAKvBPsila2TkIzUGXXnYMkooKvhhAjomIX8hfUldoFA; path=/; httponly
與登錄操作類似,post同意授權的scope清單,以及是否同意,ScopesConsented=openid&ScopesConsented=profile&ScopesConsented=api1&Description=&RememberConsent=true&button=yes,響應302重定向至授權回調
2.9 重定向至授權回調,返回授權碼
請求
GET /connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=vDiRaZB2pHkoow4SiD-4D5YObxjluheQmi6jM2vYcLM&code_challenge_method=S256&response_mode=form_post&nonce=637302073815947799.ZjMzMTkwMzUtZDQ5YS00OTkxLTllNzQtMDNhODk0NDQzNGU5ZGIzMDI3MGMtMWQzMC00YzY5LThiZjItMDA5OTNkNTE2MGQ4&state=CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Kestrel
Set-Cookie: idsrv=CfDJ8EvLzXx95NhOpTKk_JopLRBNjXlFt3nvrJDTaWLYWcCU3fje7b_kmurwoGUCej07sRMLrLxFkSMhMOXbgl8xvjYhpERGpISxD-QoxdCcLICzVUIGYGD7RvJQdfvHF3QXpR1_Kffm2e9WXE27wf4Qp5CR87xQSmNmL4qx8i7fLBjnTm7Nhzv3zOSV2bRjVLRU3BlKjqqkalj1z6sL5vaGr4NhLZRNBiDPLJxDghXrtu-dK1U6VlGGVJ4sg87u4W9Q8E23xmUlZiVMkDztjNYxW6I2WoRypZhjIiuoPSUsHqs4wBZ5bsLEMjbCGcoKbeBFyJzhi13P2yU-c1TGB6wcBUDgTV6TqHTu8d8lmzIDcMDeaKJSnv5F7h5BRiOe8FV2INbws6RUfeo0zsbIZr46M1gppTLZoNRl8W7Y2fuwoDj_irPkx5rGQYI4Wia-aM64ASEZpvI7ztNGSnq-ToSMzxX8JPFRq7inVWVhMoJOsHBFFRdiu9aN35IPgc4y8tn7w_13IX7wXh-BqnDBD8b0C50GS09u4GhjoEFHwPgHG_U7pV4qbctj2EFef2aUrbjX0g; path=/; samesite=none; httponly
Content-Security-Policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='
X-Content-Security-Policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='
Referrer-Policy: no-referrer
<html><head><meta http-equiv='X-UA-Compatible' content='IE=edge' /><base target='_self'/></head><body><form method='post' action='http://localhost:6002/signin-oidc'><input type='hidden' name='code' value='8F80E2D57D10FBA66BE5FDD44C28C55414F04A884075461104C1EF7828DAE961' />
<input type='hidden' name='scope' value='openid profile api1' />
<input type='hidden' name='state' value='CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag' />
<input type='hidden' name='session_state' value='lHCZqkJ0suot4KBIbaBadd17-zTF9pyuMpfbZqfv-hE.BBA2DB34D59FF6A60AF3FBD6EFF6A3D4' />
<noscript><button>Click to continue</button></noscript></form><script>window.addEventListener('load', function(){document.forms[0].submit();});</script></body></html>
又重定向至authorize回調,此時回調響應html頁面
里面有一個表單
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<base target="_self" />
</head>
<body>
<form method="post" action="http://localhost:6002/signin-oidc">
<input type="hidden" name="code" value="8F80E2D57D10FBA66BE5FDD44C28C55414F04A884075461104C1EF7828DAE961" />
<input type="hidden" name="scope" value="openid profile api1" />
<input type="hidden" name="state" value="CfDJ8EvLzXx95NhOpTKk_JopLRAtCPNf259LPzLsz20hoZ9vEALtJi8Ms99_BXC-Cra7prdpF58nHahlLqSHZz_pyId1Kf4CCFvY5juG2p2RqTbCcZCQ6_G5Fd4FzTT0RtCaLbhRPDDGMb6D7PSWd-cy-tn64CsYkRa85yEeklZHLHtVADjK0CbBhSR5nXERBptLeNyayrGInKAQHR5aXI9qvD00NodlABRotjw2ALGnRwQRXjZ5ZGMvi4v3LWYHtuyvXyAhIglZ3l1QP1oNQraTuYWvSceK4AqyitMIQ0ZvBsOF8Q14rmvq9JQvuzf6fX9Fj_YRB7Tfs2bV7CR1kgLB3Ss5amy_cwBTQHTTqLKeLyyvgb1zMC6LOcLL26oQj9cWag" />
<input type="hidden" name="session_state" value="lHCZqkJ0suot4KBIbaBadd17-zTF9pyuMpfbZqfv-hE.BBA2DB34D59FF6A60AF3FBD6EFF6A3D4" />
<noscript>
<button>Click to continue</button>
</noscript>
</form>
<script>window.addEventListener('load', function(){document.forms[0].submit();});</script>
</body>
</html>
並在load時自動觸發submit
window.addEventListener('load', function(){document.forms[0].submit();});
提交至http://localhost:6002/signin-oidc,此時code會被存入mvc客戶端后台,這里細節,需要研究過源碼才能解答
2.10 請求token端點
請求
POST /connect/token HTTP/1.1
Host: localhost:5001
User-Agent: Microsoft ASP.NET Core OpenIdConnect handler
Request-Id: |d8ea1674-480ea8a77b20fcf1.
Content-Type: application/x-www-form-urlencoded
client_id=mvc&client_secret=secret-mvc&code=8F80E2D57D10FBA66BE5FDD44C28C55414F04A884075461104C1EF7828DAE961&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&code_verifier=uCbO1SO2dtSr-bIZ9rsX1lJk2pSjVSFMXmoSzzov_bY
響應
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Server: Kestrel
{"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc2OEFDMTBCNEEzNzI4RTIwNjQ0MDU4QjZFREY1MDUxIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1OTQ2MTA1ODUsImV4cCI6MTU5NDYxMDg4NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiYXVkIjoibXZjIiwibm9uY2UiOiI2MzczMDIwNzM4MTU5NDc3OTkuWmpNek1Ua3dNelV0WkRRNVlTMDBPVGt4TFRsbE56UXRNRE5oT0RrME5EUXpOR1U1WkdJek1ESTNNR010TVdRek1DMDBZelk1TFRoaVpqSXRNREE1T1ROa05URTJNR1E0IiwiaWF0IjoxNTk0NjEwNTg1LCJhdF9oYXNoIjoiNU1YZWNXTW9scjc0OGtqWmRCTFlCUSIsInNfaGFzaCI6IlpOTzhmeE44N3l1QkRrTFhQOFJWMmciLCJzaWQiOiJBRjNFQjUzMTg0OTUxRTJFN0U4NzQ4QjdBQjAxMThFMiIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1OTQ2MTA1ODMsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.FBqN2mPMYfBkz-O8CS_8AMET5rINB7k1DwsgF5BK4WsOrRgT-3lAPaGQ6FvxUX6Zoyr6Yg4wjCgqIEB2B9yixQJe1tdYDiOZ1-LrfziSW8crI83UgsMGnobSZAjf4ZuUdnCnu5EWT0q03EUpx7UxlMW1HR9EkvslQ16CoaFVA8R9srYaxHDyia-p-_0eCHZkSuOmUvcidaJv1SD-9WRw2p1sZ_eAnttYrKCBy1-LNxdX_GaEvKqbZNZ8rB0gGQ8tAUfbhtbA_kNhPkRd_7pfD6EiEKvQpivopH8_8_VqCScRHkq3u2bNC7qHobKgrzZCEXP39eRBmDMq_FAJ5XjGQg","access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc2OEFDMTBCNEEzNzI4RTIwNjQ0MDU4QjZFREY1MDUxIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE1OTQ2MTA1ODUsImV4cCI6MTU5NDYxNDE4NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiY2xpZW50X2lkIjoibXZjIiwic3ViIjoiMSIsImF1dGhfdGltZSI6MTU5NDYxMDU4MywiaWRwIjoibG9jYWwiLCJqdGkiOiI0RDZGM0E1OTdGMjY4N0E2RTM4OTkxN0JGMjFFM0Y5QyIsInNpZCI6IkFGM0VCNTMxODQ5NTFFMkU3RTg3NDhCN0FCMDExOEUyIiwiaWF0IjoxNTk0NjEwNTg1LCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiYXBpMSJdLCJhbXIiOlsicHdkIl19.YJT5fOPAJ5Zfkn0lx3eFlfg4mhMgeUEkeQZMUY02mtO9YuFATCuIRT8GSKD_kwollEqZXwdI20jKkCHKE8W6K7BIP4kRNOn1XiRFo3cJ11nhZxXOmnhD5ViRnQklKXhvjWccsCObY8PLteSaE6hZb1P4rDRcIhfh3XAbYjrq9k5l5WkAoivkUax_bgONONLCWKz4-xzp6poCkc-fvi0p2iEMifMNCiA-spw_k2NORVi0ZNhGCn8AzmGARRVk54_MliDkWjfZk4oeB-SwqX_FTzx70IUpmcYruq361pNFU8oIcJ6G_sqd2_GmHRwrm9fUTYh5fFsm8HHvV2oHdayqxw","expires_in":3600,"token_type":"Bearer","scope":"openid profile api1"}
以code,scope,client_id,,grant_type等必要參數作為post參數請求token端點,特別提一下此時需要客戶端傳遞code_verifier,最后返回id_token、access_token、expires_in、scope
2.11 注銷登錄-請求end_session_endpoint
請求
GET /connect/endsession?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignout-callback-oidc&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc2OEFDMTBCNEEzNzI4RTIwNjQ0MDU4QjZFREY1MDUxIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1OTQ2MTA1ODUsImV4cCI6MTU5NDYxMDg4NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiYXVkIjoibXZjIiwibm9uY2UiOiI2MzczMDIwNzM4MTU5NDc3OTkuWmpNek1Ua3dNelV0WkRRNVlTMDBPVGt4TFRsbE56UXRNRE5oT0RrME5EUXpOR1U1WkdJek1ESTNNR010TVdRek1DMDBZelk1TFRoaVpqSXRNREE1T1ROa05URTJNR1E0IiwiaWF0IjoxNTk0NjEwNTg1LCJhdF9oYXNoIjoiNU1YZWNXTW9scjc0OGtqWmRCTFlCUSIsInNfaGFzaCI6IlpOTzhmeE44N3l1QkRrTFhQOFJWMmciLCJzaWQiOiJBRjNFQjUzMTg0OTUxRTJFN0U4NzQ4QjdBQjAxMThFMiIsInN1YiI6IjEiLCJhdXRoX3RpbWUiOjE1OTQ2MTA1ODMsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.FBqN2mPMYfBkz-O8CS_8AMET5rINB7k1DwsgF5BK4WsOrRgT-3lAPaGQ6FvxUX6Zoyr6Yg4wjCgqIEB2B9yixQJe1tdYDiOZ1-LrfziSW8crI83UgsMGnobSZAjf4ZuUdnCnu5EWT0q03EUpx7UxlMW1HR9EkvslQ16CoaFVA8R9srYaxHDyia-p-_0eCHZkSuOmUvcidaJv1SD-9WRw2p1sZ_eAnttYrKCBy1-LNxdX_GaEvKqbZNZ8rB0gGQ8tAUfbhtbA_kNhPkRd_7pfD6EiEKvQpivopH8_8_VqCScRHkq3u2bNC7qHobKgrzZCEXP39eRBmDMq_FAJ5XjGQg&state=CfDJ8EvLzXx95NhOpTKk_JopLRCfEOKDdY1T1-2l1vCzWMUWhnbg1dxg4-yeWSLZYk7nUYoe2Zw4ENckDO9ZJbthlJ5wJ8lVGc1yfk0WV82pZuBHysuTg-BjCmYBpzF1VvTovaehzUmFkBrPnje5aihe2lsk4ipihnNhw7zixwM3t-cZ&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost:6002/
響應
HTTP/1.1 302 Found
Server: Kestrel
Location: http://localhost:5001/Account/Logout?logoutId=CfDJ8EvLzXx95NhOpTKk_JopLRAZbKYODnbu_Ya4aqh80r3vYXAgJ9105xekmnNEpSDtSsZYne0jN6Fp5yAS2oqvrSQdkdZVrrQT5REYstZ9ID5Nprq83mrPv5W5-5U8V6LyvSIV9JbG5OI1z1L6yArhyAIT5vZukUUnf8KKZjNo4YKXcvJIJp303YfawX4YNaV7n0M2eE3M7gehTYEEMAUoqKAZNyp31qrDLnljkL4hNdG3x9yDb_cTchhy6HPxpKowVgmukA37RSQ0juyUtRfse8dXSb0qH5_6QKBGadU14rYFcPdG0O6vzmNawrVrGurRxRcptcHGxtykFomerFKHFaTzNyJXJszMCFSsx_SZoZHo0LJwiUGP1H0FST7cR9tH3syPbJw-bGEWQRXyvU8QZoWk_ILDlCRT3aVFoJ7MbRUSUX0AJY2U4Mzlwk27a6arLRioalD2EKW8bXvOLFSYfLrmcQc96nsCdGkdarWrBvacuRg6ReedaMOWXGFhXzaS7qh4yM5dah8KV6JVrtItZ7jlJOHAgL0onolUeWV_d59LuCTd9SHVluXl3xxgL3TKtQNSE8aim_G1GwQT0u0h2E3_csGepIeohUecVfzrpFbhYYbkjfOPiIY1KykNYImxuplw2o1vCAsdt0GsqvzuqKZCs0Fy0Be1Sse9UgvhAKfSNZdHo-WJGiSXEuXeFzTPvg
請求服務端endsession端點,傳遞參數id-token,響應302重定向注銷登錄頁面。
2.12 請求Logout頁面
請求
GET /Account/Logout?logoutId=CfDJ8EvLzXx95NhOpTKk_JopLRAZbKYODnbu_Ya4aqh80r3vYXAgJ9105xekmnNEpSDtSsZYne0jN6Fp5yAS2oqvrSQdkdZVrrQT5REYstZ9ID5Nprq83mrPv5W5-5U8V6LyvSIV9JbG5OI1z1L6yArhyAIT5vZukUUnf8KKZjNo4YKXcvJIJp303YfawX4YNaV7n0M2eE3M7gehTYEEMAUoqKAZNyp31qrDLnljkL4hNdG3x9yDb_cTchhy6HPxpKowVgmukA37RSQ0juyUtRfse8dXSb0qH5_6QKBGadU14rYFcPdG0O6vzmNawrVrGurRxRcptcHGxtykFomerFKHFaTzNyJXJszMCFSsx_SZoZHo0LJwiUGP1H0FST7cR9tH3syPbJw-bGEWQRXyvU8QZoWk_ILDlCRT3aVFoJ7MbRUSUX0AJY2U4Mzlwk27a6arLRioalD2EKW8bXvOLFSYfLrmcQc96nsCdGkdarWrBvacuRg6ReedaMOWXGFhXzaS7qh4yM5dah8KV6JVrtItZ7jlJOHAgL0onolUeWV_d59LuCTd9SHVluXl3xxgL3TKtQNSE8aim_G1GwQT0u0h2E3_csGepIeohUecVfzrpFbhYYbkjfOPiIY1KykNYImxuplw2o1vCAsdt0GsqvzuqKZCs0Fy0Be1Sse9UgvhAKfSNZdHo-WJGiSXEuXeFzTPvg HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost:6002/
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Kestrel
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: idsrv.session=.; expires=Sat, 13 Jul 2019 03:23:10 GMT; path=/; samesite=none
Set-Cookie: idsrv=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=none; httponly
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no" />
<title>IdentityServer4</title>
<link rel="icon" type="image/x-icon" href="/favicon.ico" />
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
<link rel="stylesheet" href="/lib/bootstrap/dist/css/bootstrap.min.css" />
<link rel="stylesheet" href="/css/site.css" />
</head>
<body>
<div class="nav-page">
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a href="/" class="navbar-brand">
<img src="/icon.png" class="icon-banner">
IdentityServer4
</a>
</nav>
</div>
<div class="container body-container">
<div class="logged-out-page">
<h1>
Logout
<small>You are now logged out</small>
</h1>
<div>
Click <a class="PostLogoutRedirectUri" href="http://localhost:6002/signout-callback-oidc?state=CfDJ8EvLzXx95NhOpTKk_JopLRCfEOKDdY1T1-2l1vCzWMUWhnbg1dxg4-yeWSLZYk7nUYoe2Zw4ENckDO9ZJbthlJ5wJ8lVGc1yfk0WV82pZuBHysuTg-BjCmYBpzF1VvTovaehzUmFkBrPnje5aihe2lsk4ipihnNhw7zixwM3t-cZ">here</a> to return to the
<span>mvc</span> application.
</div>
<iframe width="0" height="0" class="signout" src="http://localhost:5001/connect/endsession/callback?endSessionId=CfDJ8EvLzXx95NhOpTKk_JopLRD-iDHpQvqvs7oMHfRayDl1TWmAw1sxkh_HGTCQELzyrP8UobnaEJWXNW7kDkeLCcKHSj9eieXp9e7QJZaVi_lX9dPjORcItuExlHR8oozCOCWod1BaJWWwEwGyRklKp6kfsvfWMgTRP2BhDLFMc5YgeQvONdDVpVfQ_nPBosK2fHwssuocHqtjDw3RhGwbMRBUOFKhwiJ9GFZtyRvaowanRrlk62h33DSsJByUniXPLNDcL-a3COGpY-fbwF3mUp4"></iframe>
</div>
</div>
<script src="/lib/jquery/dist/jquery.slim.min.js"></script>
<script src="/lib/bootstrap/dist/js/bootstrap.bundle.min.js"></script>
</body>
</html>
重定向至Logout頁面,並通過Set-Cookie把IndentityServer-localhost:5001的cookie置為空,且響應一段包含隱藏src="http://localhost:5001/connect/endsession/callback"的iframe的html
2.13 觸發endsession回調
請求
GET /connect/endsession/callback?endSessionId=CfDJ8EvLzXx95NhOpTKk_JopLRD-iDHpQvqvs7oMHfRayDl1TWmAw1sxkh_HGTCQELzyrP8UobnaEJWXNW7kDkeLCcKHSj9eieXp9e7QJZaVi_lX9dPjORcItuExlHR8oozCOCWod1BaJWWwEwGyRklKp6kfsvfWMgTRP2BhDLFMc5YgeQvONdDVpVfQ_nPBosK2fHwssuocHqtjDw3RhGwbMRBUOFKhwiJ9GFZtyRvaowanRrlk62h33DSsJByUniXPLNDcL-a3COGpY-fbwF3mUp4 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-
Cookie: .AspNetCore.Antiforgery.-IwGtD3QVi8=CfDJ8EvLzXx95NhOpTKk_JopLRC52AxoSRHn9ciblh7wwEnyoJI4hEVfPW8ZrSerXc81TOVLPDoIpIS4w4idShomXf2jiiUcgqYsCP6XaeH2i681CSh6xBc-uP1PI9cYvHuUdiMFC25Ig67pxU3pnNo4j0s
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Kestrel
Content-Security-Policy: default-src 'none'; style-src 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY='
X-Content-Security-Policy: default-src 'none'; style-src 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY='
<!DOCTYPE html><html><style>iframe{display:none;width:0;height:0;}</style><body></body></html>
觸發回調,cookie已刪除
3.補充
在述2.5小節之后,如果IdentityServer4沒有配置用戶選擇選項,或者RequireConsent=false,代碼如下
new Client
{
ClientId="mvc",
ClientSecrets={ new Secret("secret-mvc".Sha256())},
AllowedGrantTypes = GrantTypes.Code,
//// 需要用戶同意授權,默認為false
//RequireConsent=true,
// where to redirect to after login
RedirectUris = { "http://localhost:6002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:6002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
"api1",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
},
就會直接到authorize回調,返回授權碼,請知曉。
請求
GET /connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A6002%2Fsignin-oidc&response_type=code&scope=openid%20profile%20api1&code_challenge=K5sDcRY6SK9pMnC16oEWk9H8hOdre2MZ1qwpTrTygl4&code_challenge_method=S256&response_mode=form_post&nonce=637302247176725439.YWE3ZGZkYjEtZjZiOS00NjAwLTk5YmMtNjlhM2I1MjY4ZjFiZjJjYjhlYjctOTdmYi00Y2EzLWI1M2YtZjBjYjA3OWY0ZmZl&state=CfDJ8EvLzXx95NhOpTKk_JopLRB57an6y-MwhUZuh8Ez7z73Nv03xcjFhtP1yf0mh14hmoEZdulUBGkZVKk2oa-TBq9GL3E1MzqJPSwkUxcQVfmWIO6mEgLTJ3L_146JP9z_4Bf-ALMR68YPCHwgP2A1S5rEHYAXCKZ4LHfuG9Xi3bjIuUlCfoWQpHuThSDmaPX-9SeIwkywb0T1ghYCb8-TIpHZ9cBWDV0ElGmnYv4QjRQeBPtbUAKgiAmjE677kG8gOzpi7eTz5QPpym6YqZsTLdjUx6RIY2XMaBluXmC7ieU3iMsios44nRRPokH-jXGN6XqDyT26Utbsc4kL2bFBfBD63R5VPjsESoxw0xzDJY4DHGV2HU0uaSgSxNvrpO4Feg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.5.0.0 HTTP/1.1
Host: localhost:5001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
響應
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Kestrel
Set-Cookie: idsrv=CfDJ8EvLzXx95NhOpTKk_JopLRBI8aySjsT2ffevQWnFQVMIfXq4pSj1LEKY0ili_u8gCklbVAaaSAtFpncya0FDBApDu5rPDXpjSIy3ziHBht1UheFB93tW4FvhJaFvsdv2xji-5dh373EWilGrh-bFHubPuo3XsG_dyfwjXFOpA3AFluuRdD6wUILB_eQVjfdBT_5xgXAy1AYliF-LgeKza2kJqXTrarewO5mMfmg-l0odP1_KMsQo79iurO2jqSMv_asxGsWgAJRE7BJwWiqAn-7cftv-tHHIoHLAwVH5rBxPessMq1GXcp2NHo2qflHvsax02-F2-nkBG6FRs7mJtbKkWWpZ14rgucoU6fW8gGGWnH4oay9PwtDNTOS4uRmHn5YHZRJx1XxGq5TSclBS7XnH7k-VsPIlDf9mHOwik9C8FuQ8KXdll4Psm1zgeLA6PP1tglt-_QAXwPtviNfxDv60gYxJC2GwMTcEGoWxqM7LkHlm4xpEabdzl00z6hXENny8pqxu2DDVlkHddVubZ7lwVNClgsGtRMMzBLa-m2oRhuWolFXTSjT7tYS7WLMmLA; path=/; samesite=none; httponly
Content-Security-Policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='
X-Content-Security-Policy: default-src 'none'; script-src 'sha256-orD0/VhH8hLqrLxKHD/HUEMdwqX6/0ve7c5hspX5VJ8='
Referrer-Policy: no-referrer
<html><head><meta http-equiv='X-UA-Compatible' content='IE=edge' /><base target='_self'/></head><body><form method='post' action='http://localhost:6002/signin-oidc'><input type='hidden' name='code' value='85B95996FFF98CC066BE9C7EAE5FBA3DF189767823CE4C0ECDE9556D5D448E11' />
<input type='hidden' name='scope' value='openid profile api1' />
<input type='hidden' name='state' value='CfDJ8EvLzXx95NhOpTKk_JopLRB57an6y-MwhUZuh8Ez7z73Nv03xcjFhtP1yf0mh14hmoEZdulUBGkZVKk2oa-TBq9GL3E1MzqJPSwkUxcQVfmWIO6mEgLTJ3L_146JP9z_4Bf-ALMR68YPCHwgP2A1S5rEHYAXCKZ4LHfuG9Xi3bjIuUlCfoWQpHuThSDmaPX-9SeIwkywb0T1ghYCb8-TIpHZ9cBWDV0ElGmnYv4QjRQeBPtbUAKgiAmjE677kG8gOzpi7eTz5QPpym6YqZsTLdjUx6RIY2XMaBluXmC7ieU3iMsios44nRRPokH-jXGN6XqDyT26Utbsc4kL2bFBfBD63R5VPjsESoxw0xzDJY4DHGV2HU0uaSgSxNvrpO4Feg' />
<input type='hidden' name='session_state' value='uVc1Al5eKyFI6hPGeTZYQ5T2rH7bTBj1UI8foq2Qerk.596FC31C9582DFC13A47E5E114399274' />
<noscript><button>Click to continue</button></noscript></form><script>window.addEventListener('load', function(){document.forms[0].submit();});</script></body></html>
緊接着請求token端點
作者:Garfield
同步更新至個人博客:http://www.randyfield.cn/
本文版權歸作者所有,未經許可禁止轉載,否則保留追究法律責任的權利,若有需要請聯系287572291@qq.com