一、新建一个.net core web项目作为Identity server 4验证服务。
选择更改身份验证,然后再弹出的对话框里面选择个人用户账户。
nuget 安装Identity server相关的依赖包
添加Identity server相关的配置,首先新建config文件加,然后添加IdentityServer.cs,文件中代码如下:
对于相关配置想做详细了解的同学可以参考园友 晓晨Master的identity server 系列博客 https://www.cnblogs.com/stulzq/p/9019446.html
using IdentityModel;
using IdentityServer4;
using IdentityServer4.Models;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks; namespace WebIdentityServer.Config
{
public static class IdentityServer
{
public static List<Client> GetClients()
{
return new List<Client>()
{
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, RequireConsent = false, ClientSecrets =
{
new Secret("secret".Sha256())
}, RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" }, AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
AllowOfflineAccess = false,
AccessTokenType = AccessTokenType.Jwt,
}
};
} public static IEnumerable<IdentityResource> GetIdentityResources()
{
var customProfile = new IdentityResource(
name: "custom.profile",
displayName: "Custom profile",
claimTypes: new[] { "name", "email", "status" }); return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
customProfile
};
} public static IEnumerable<ApiResource> GetApiResources()
{
return new[]
{
// simple API with a single scope (in this case the scope name is the same as the api name)
new ApiResource("api1", "Some API 1"), // expanded version if more control is needed
new ApiResource
{
Name = "api2", // secret for using introspection endpoint
ApiSecrets =
{
new Secret("secret".Sha256())
}, // include the following using claims in access token (in addition to subject id)
UserClaims = { JwtClaimTypes.Name, JwtClaimTypes.Email }, // this API defines two scopes
Scopes =
{
new Scope()
{
Name = "api2.full_access",
DisplayName = "Full access to API 2",
},
new Scope
{
Name = "api2.read_only",
DisplayName = "Read only access to API 2"
}
}
}
};
}
}
}
在Startup类中添加如下配置:
1. 在ConfigureServices方法中添加如下代码配置
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"))); services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders(); // Add application services.
services.AddTransient<IEmailSender, EmailSender>(); services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(IdentityServer.GetIdentityResources())
.AddInMemoryApiResources(IdentityServer.GetApiResources())
.AddInMemoryClients(IdentityServer.GetClients())
.AddAspNetIdentity<ApplicationUser>(); services.AddMvc();
}
2. 在Configure方法中添加如下代码配置
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseBrowserLink();
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
} app.UseStaticFiles(); // app.UseAuthentication(); // not needed, since UseIdentityServer adds the authentication middleware
app.UseIdentityServer(); app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
在程序包管理控制台使用Update-Database命令生成DB,然后再VS中打开Sql server 对象管理器中可以看到创建的数据库及表
启动servers,然后看到以下界面,点击Register注册一个用户然后点击login用注册的用户登陆。
如果能够登陆成功则说明我们的Identity server搭建成功,然后我们用postman单独拿取token:
二、配置.net core web Api使用身份验证系统:
1. 在Startup类的ConfigureServices中添加下列配置,Authority 是我们Identity server启动使用的url。
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.Audience = "api1";
});
2. 在Startup类的Configure中添加下列配置。
app.UseAuthentication();
3. Controller 添加属性(特性)[Authorize]
[Route("api/[controller]")]
[ApiController]
[Authorize]
public class ValuesController : ControllerBase
然后我们验证是否可以Identity server验证token.
1. 不添加token,发送请求得到401 bad request 错误
2. 使用token,发送请求,得到200成功的状态码,并返回response。
