一、系统环境

win10

C:\Users\zhoujy>dotnet --version
5.0.102

IdentityServer4 4.0.0

Microsoft Visual Studio Community 2019
版本 16.8.4

二、IdentityServer4 基本原理

1、当前应用程序大多数情况下,如下图的模式

最常见的交互是:

  • 浏览器与Web应用程序通信
  • Web应用程序与Web API通信(有时是独立的,有时是代表用户的)
  • 基于浏览器的应用程序与Web API进行通信
  • 本机应用程序与Web API通信
  • 基于服务器的应用程序与Web API进行通信
  • Web API与Web API进行通信(有时是独立的,有时是代表用户的)

2、 IdentityServer4重组应用程序以支持安全令牌服务将支持下体系结构和协议

三、示例入门

入门的示例创建最简单的IdentityServer服务器、需保护的API资源、授权访问的客户端三个项目,来模拟发放token令牌和利用令牌访问资源API的过程。

1、创建IdentityServer4服务器

先安装IdentityServer4提供的模板

dotnet new -i IdentityServer4.Templates

创建quickstart/src目录,并创建IdentityServer项目

md quickstart
cd quickstartmd src
cd srcdotnet new is4empty -n IdentityServer

创建解决方案并加入项目,以便在Visual Studio中使用

cd ..
dotnet new sln -n Quickstartdotnet sln add ./src/IdentityServer/IdentityServer.csproj

在Visual studio中打开解决方案,在IdentityServer项目中修改config.cs文件,以定义API范围及客户列表

// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.using IdentityServer4.Models;
using System.Collections.Generic;namespace IdentityServer
{public static class Config{public static IEnumerable<IdentityResource> IdentityResources =>new IdentityResource[]{ new IdentityResources.OpenId()};public static IEnumerable<ApiScope> ApiScopes =>new List<ApiScope>{new ApiScope("api1", "My API")};public static IEnumerable<Client> Clients =>new List<Client>{new Client{ClientId = "client",// no interactive user, use the clientid/secret for authenticationAllowedGrantTypes = GrantTypes.ClientCredentials,// secret for authenticationClientSecrets ={new Secret("secret".Sha256())},// scopes that client has access toAllowedScopes = { "api1" }}};}
}

配置startup.cs文件,载入资源和客户定义。

   public void ConfigureServices(IServiceCollection services){// uncomment, if you want to add an MVC-based UI//services.AddControllersWithViews();var builder = services.AddIdentityServer(options =>{// see https://identityserver4.readthedocs.io/en/latest/topics/resources.htmloptions.EmitStaticAudienceClaim = true;}).AddInMemoryIdentityResources(Config.IdentityResources).AddInMemoryApiScopes(Config.ApiScopes).AddInMemoryClients(Config.Clients);// not recommended for production - you need to store your key material somewhere securebuilder.AddDeveloperSigningCredential();}

一个最简单的IdentityServer服务就可以运行了。

L:\CSharp\quickstart\src\IdentityServer> dotnet run dev
[14:50:12 Information]
Starting host...[14:50:13 Information] IdentityServer4.Startup
Starting IdentityServer4 version 4.0.0+1acafade44176bf817412aa4309d5dff6587a741[14:50:13 Information] IdentityServer4.Startup
You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.[14:50:13 Information] IdentityServer4.Startup
Using the default authentication scheme idsrv for IdentityServer[14:50:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for authentication[14:50:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for sign-in[14:50:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for sign-out[14:50:13 Debug] IdentityServer4.Startup
Using idsrv as default ASP.NET Core scheme for challenge[14:50:13 Debug] IdentityServer4.Startup
[14:55:06 Information] Microsoft.Hosting.Lifetime
Now listening on: https://localhost:5001[14:55:06 Information] Microsoft.Hosting.Lifetime
Application started. Press Ctrl+C to shut down.

访问 https://localhost:5001/.well-known/openid-configuration

2、创建需要保护的资源API

进入quickstart/src目录

dotnet new webapi -n Api

将项目加入解决方案

cd ..
dotnet sln add ./src/Api/Api.csproj

编辑Properties文件夹中的launchSettings.json文件,将启动URL改为https://localhost:6001

{"profiles": {"SelfHost": {"commandName": "Project","launchBrowser": true,"environmentVariables": {"ASPNETCORE_ENVIRONMENT": "Development"},"applicationUrl": "https://localhost:6001"}}

添加一个新的控制类IdentityController,来测试访问授权要求。

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Linq;namespace api.Controllers
{[Route("identity")][Authorize]public class IdentityController : ControllerBase{[HttpGet]public IActionResult Get(){return new JsonResult(from c in User.Claims select new { c.Type, c.Value });}}
}

添加依赖包

dotnet add ./src/api/api.csproj package Microsoft.AspNetCore.Authentication.JwtBearer

配置startup.cs文件

最后一步是将IdentityServer添加到DI(依赖注入),并将身份验证中间件添加到管道。这些将:

  • 验证传入令牌以确保它来自受信任的发行者
  • 验证令牌是否可以与此API一起使用(也称为受众群体)
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;namespace api
{public class Startup{public Startup(IConfiguration configuration){Configuration = configuration;}public IConfiguration Configuration { get; }// This method gets called by the runtime. Use this method to add services to the container.public void ConfigureServices(IServiceCollection services){services.AddControllers();services.AddSwaggerGen(c =>{c.SwaggerDoc("v1", new OpenApiInfo { Title = "api", Version = "v1" });});services.AddAuthentication("Bearer").AddJwtBearer("Bearer", options =>{options.Authority = "https://localhost:5001";options.TokenValidationParameters = new TokenValidationParameters{ValidateAudience = false};});//添加授权范围services.AddAuthorization(options =>{options.AddPolicy("ApiScope", policy =>{policy.RequireAuthenticatedUser();policy.RequireClaim("scope", "api1");});});}// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.public void Configure(IApplicationBuilder app, IWebHostEnvironment env){if (env.IsDevelopment()){app.UseDeveloperExceptionPage();app.UseSwagger();app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "api v1"));}app.UseHttpsRedirection();app.UseRouting();app.UseAuthentication();app.UseAuthorization();app.UseEndpoints(endpoints =>{endpoints.MapControllers().RequireAuthorization("ApiScope");});}}
}

3、创建模拟访问客户端

最后一步是编写一个请求访问令牌的客户端,然后使用该令牌访问API。进入quickstart/src目录

dotnet new console -n Client

添加到解决方案中

cd ..
dotnet sln add .\src\Client\Client.csproj

添加IdentityModel包

cd src
cd client
dotnet add package IdentityModel

修改program.cs文件,以模拟发现服务、请求令牌和使用令牌访问API的过程。

using IdentityModel.Client;
using Newtonsoft.Json.Linq;
using System;
using System.Net.Http;
using System.Threading.Tasks;namespace Client
{class Program{private static async Task Main(string[] args){// 从无数据中发现端点var client = new HttpClient();var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001");if (disco.IsError){Console.WriteLine(disco.Error);return;}else{Console.WriteLine(disco.AuthorizeEndpoint);}// 请求令牌var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest{Address = disco.TokenEndpoint,ClientId = "client",ClientSecret = "secret",Scope = "api1"});if (tokenResponse.IsError){Console.WriteLine(tokenResponse.Error);return;}Console.WriteLine(tokenResponse.Json);// 使用令牌访问APIvar apiClient = new HttpClient();apiClient.SetBearerToken(tokenResponse.AccessToken);var response = await apiClient.GetAsync("https://localhost:6001/identity");if (!response.IsSuccessStatusCode){Console.WriteLine(response.StatusCode);}else{var content = await response.Content.ReadAsStringAsync();Console.WriteLine(JArray.Parse(content));}}}
}

运行测试,先启动IdentityServer、Api项目,然后再运行Client可以看到请求到的令牌和使用令牌访问Api的结果。

L:\CSharp\quickstart\src\Client> dotnet run dev
https://localhost:5001/connect/authorize
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjY4QzlCRkQ0QkY2RUQzNjNCRkEwQjA0NUE0QUY1RjI5IiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MjAwODk0ODksImV4cCI6MTYyMDA5MzA4OSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjUwMDEvcmVzb3VyY2VzIiwiY2xpZW50X2lkIjoiY2xpZW50IiwianRpIjoiOTg2MTBEMTY1NkFBRTk5RTk1NENDRDJDRUE2MERDQ0UiLCJpYXQiOjE2MjAwODk0ODksInNjb3BlIjpbImFwaTEiXX0.aFddnjOPoNdE6KfnWG1W2IZvMGiu6CPJCAnAXE5YE0zbrBspXDn0mrN9hGzqdmg_DLUHdEpVOykWZMt1-lEZV2Yro1PvvuZr5tRFokcKZ55eFeSotgpeVAS-ZogJlMGRZir_JjJrU9XsXtaZd9PBC8glJzTGmyh6qpxWM_vMFkgGQDoG2H0IrpPltT7CXztMrfDgELlLoY_gaD91gwUqjLamY4ZpRKvP_4bicBJtPVcVTa8y5-dhMRszvG_pKL5Eve3zC0gAPB2uVYYJTKYZlNetabJxhzuwk-oD_K2v2_s27jgAYsfDFqmc-B_EFKWcyd4893l4L9wTrmnH7mlWkw","expires_in":3600,"token_type":"Bearer","scope":"api1"}
[{"type": "nbf","value": "1620089489"},{"type": "exp","value": "1620093089"},{"type": "iss","value": "https://localhost:5001"},{"type": "aud","value": "https://localhost:5001/resources"},{"type": "client_id","value": "client"},{"type": "jti","value": "98610D1656AAE99E954CCD2CEA60DCCE"},{"type": "iat","value": "1620089489"},{"type": "scope","value": "api1"}
]

四、参考文档

1、https://identityserver4.readthedocs.io/en/latest/

2、https://github.com/IdentityServer/IdentityServer4

IdentityServer4 (IDS4) 快速入门相关推荐

  1. IdentityServer4 第三方快速入门和示例

    这些示例不由IdentityServer团队维护. IdentityServer团队提供链接到了社区示例,但不能对示例做任何保证. 如有问题,请直接与作者联系. 各种ASP.NET Core安全示例 ...

  2. IdentityServer4 (IDS4) UI界面使用

    在本快速入门中,将对通过OpenID Connect协议进行的交互式用户身份验证的支持添加到上一章中构建的IdentityServer中. 实现后,我们将创建一个将使用IdentityServer进行 ...

  3. .Net Core 3.0 IdentityServer4 快速入门02

    .Net Core 3.0 IdentityServer4 快速入门 -- resource owner password credentials(密码模式) 一.前言 OAuth2.0默认有四种授权 ...

  4. .Net Core 3.0 IdentityServer4 快速入门

    一.简介 IdentityServer4是用于ASP.NET Core的OpenID Connect和OAuth 2.0框架. 将IdentityServer4部署到您的应用中具备如下特点: 1).认 ...

  5. python制作客户端软件_python 实现 PC 客户端自动化快速入门:pywinauto !

    一.前言 ​ 我们柠檬班的小可爱,在学完我们柠檬班自动化的课程之后,就掌握了接口自动化,web自动化,app自动化,这些工作中常用的自动化技能,在工作足以够应对90%以上的自动化需求了.不过近期也有部 ...

  6. Shiro第一个程序:官方快速入门程序Qucickstart详解教程

    目录 一.下载解压 二.第一个Shiro程序 1. 导入依赖 2. 配置shiro配置文件 3. Quickstart.java 4. 启动测试 三.shiro.ini分析 四.Quickstart. ...

  7. 计算机入门新人必学,异世修真人怎么玩?新手快速入门必备技巧

    异世修真人怎么快速入门?最近新出来的一款文字修仙游戏,很多萌新不知道怎么玩?进小编给大家带来了游戏新手快速入门技巧攻略,希望可以帮到大家. 新手快速入门攻略 1.开局出来往下找婆婆,交互给点钱,旁边有 ...

  8. Spring Boot 2 快速教程:WebFlux 快速入门(二)

    2019独角兽企业重金招聘Python工程师标准>>> 摘要: 原创出处 https://www.bysocket.com 「公众号:泥瓦匠BYSocket 」欢迎关注和转载,保留摘 ...

  9. Apache Hive 快速入门 (CentOS 7.3 + Hadoop-2.8 + Hive-2.1.1)

    2019独角兽企业重金招聘Python工程师标准>>> 本文节选自<Netkiller Database 手札> 第 63 章 Apache Hive 目录 63.1. ...

最新文章

  1. ORB 特征检测与匹配
  2. python掌握程度怎么判断-Python学到什么程度可以面试工作?
  3. 3 weekend110的hadoop中的RPC框架实现机制 + hadoop中的RPC应用实例demo
  4. ITK:平方每个像素
  5. ubuntu samba服务器的安装文件,在Ubuntu16.04中搭建samba服务器并用win10连接实现共享文件...
  6. 联想拯救者y7000电池耗电快_游戏新选择:联想2020款拯救者Y7000/R7000爆料
  7. java 假设当前时间_Java中与日期和时间相关的类和方法
  8. 架构师的英文缩写_架构师必备的20个英文缩写!看你知道几个?
  9. Linux系统多网卡环境下的路由配置
  10. Java补缺补漏—基本数据类型与引用数据类型
  11. 微信小程序弹窗显隐动态控制页面滚动
  12. sklearn笔记18决策树gini系数
  13. [乱七八糟]Google搜索秘籍
  14. VBA自定义函数TEXTJOIN CONCAT FILTER EVALUATE
  15. vue 实现上拉加载
  16. uni-app实现多图片上传
  17. LeetCode 二分查找
  18. CLLocationManager定位经纬度,MKReverseGeocoder地址解析, MKMapView 地图显示 iphone
  19. ASP.NET之Panel控件、FileUpload 控件
  20. scratch做个简单的跑酷游戏

热门文章

  1. 【报告分享】2022快手磁力金牛家居百货行业营销洞察报告-磁力引擎(附下载)
  2. ati自定义分辨率_真三国无双7游戏自定义分辨率的修改方法
  3. 【Cherno的OpenGL视频】Vertex buffers and drawing a triangle in OpenGL
  4. 港股系统开发美股软件开发之简单了解券商交易系统开发及港美股交易平台
  5. ckplayer 一个不错的网页视频播放器
  6. CPU处理器IO接口小结
  7. isis学不到looback口的路由_随手装了台LEDE软路由,测试WAN口能否跑万兆(上篇)...
  8. 谷歌推出 Translatotron 2,一种没有深度伪造潜力的语音到语音直接翻译神经模型
  9. Excel添加按键运行宏
  10. 非科班出身程序员该如何弥补技术差距?