问题
Web Api .net framework
I have an authentication service done with IdentityServer4 .net core 1.1. The client settings are as follows:
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "api1" }
},
// resource owner password grant client
new Client
{
ClientId = "ro.client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = { "api1" }
},
// OpenID Connect hybrid flow and client credentials client (MVC)
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
AllowOfflineAccess = true
},
// JavaScript Client
new Client
{
ClientId = "js",
ClientName = "JavaScript Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = { "http://localhost/web/main.html#/redirectLogin#" },
PostLogoutRedirectUris = { "http://localhost/web" },
AllowedCorsOrigins = { "http://localhost" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
RequireConsent = false
}
I have a front-end application with javascript using oidc-client. In it I can authenticate to the authentication server with the following settings:
var userManagerConfig = {
authority: "http://localhost:5000",
client_id: "js",
redirect_uri: "http://localhost/web/main.html#/redirectLogin#",
response_type: "id_token token",
scope: "openid profile api1",
post_logout_redirect_uri: "http://localhost/web",
};
var userManager = new Oidc.UserManager(userManagerConfig);
I also have an api web made in .net framework 4.6.1. In it I want to receive authentication from the front end and use the authentication server to validate the access.
How should the settings be made for this case?
回答1:
Your API should be registered as an API Resource in Identity Server. Then - it should implement the OwinStartup and have this in it:
public void Configuration(IAppBuilder app)
{
// accept access tokens from identityserver and require a scope of 'api1'
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "<ids address>",
ValidationMode = ValidationMode.Both,
RequiredScopes = new[] { "myapi" }
});
// configure web api
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
app.UseWebApi(config);
}
And, because it is a .NET Framework API, it needs to reference IdentityServer3.AccessTokenValidation. This should not bother you and cause any concerns. It deals with IdentityServer4 tokens with no hesitation.
Everything else is standard - you need AuthorizeAttribute on all controllers/methods that you want to require or add this:
// require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
In the Startup.cs and force authorization on all controllers.
回答2:
@m3n7alsnak3's answer is correct, i use app.UseIdentityServerBearerTokenAuthentication method, but i get unauthorize message!
My webapi is .net 4.6.1 and my IdentityServer4 is .Net Core 3.1.
After two days R&D and read IdentityServerBearerTokenValidationMiddleware source code, i found this articles:
Need to set IdentityServerOptions.AccessTokenJwtType
Need to set IdentityServerOptions.EmitLegacyResourceAudienceClaim
Finally i add this options in my IdentityServer config and it work fine.
var builder = services.AddIdentityServer(option =>
{
option.AccessTokenJwtType = "";
option.EmitLegacyResourceAudienceClaim = true;
})
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients);
来源:https://stackoverflow.com/questions/49041098/web-api-net-framework-4-6-1-and-identityserver4