一、服务器

Client设置:

  new Client

                 {

                     ClientId = "mvc1",

                     ClientName = "后台管理MVC客户端",

                     ClientSecrets = { new Secret("mvc1".Sha256()) },

                     AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                     AllowOfflineAccess = true,

                     RequireConsent = false,

                     RedirectUris = { $"{ClientUrl}/signin-oidc",$"{LocalClientUrl}/signin-oidc"},

                     PostLogoutRedirectUris = { $"{ClientUrl}/signout-callback-oidc",$"{LocalClientUrl}/signout-callback-oidc"},

                     AllowedScopes =

                     {

                         IdentityServerConstants.StandardScopes.OpenId,

                         IdentityServerConstants.StandardScopes.Profile,

                         "IdServerAdmin_API"

                     },

                     AlwaysIncludeUserClaimsInIdToken = true

                 }

Startup.cs:

        /// <summary>

        /// 设置认证服务器

        /// </summary>

        /// <param name="services"></param>

        private void SetIdentityServer(IServiceCollection services)

        {

            #region 认证服务器

            var ServerUrl = Configuration.GetSection("AppSetting:ServerUrl").Value;

            var connectionString = Configuration.GetSection("AppSetting:ConnectionString").Value;

            //配置AccessToken的加密证书

            var rsa = new RSACryptoServiceProvider();

            //从配置文件获取加密证书

            rsa.ImportCspBlob(Convert.FromBase64String(Configuration["AppSetting:SigningCredential"]));

            var idServer = services.AddIdentityServer(options => {

                options.IssuerUri = ServerUrl;

                options.PublicOrigin = ServerUrl;

                options.Discovery.ShowApiScopes = true;

                options.Discovery.ShowClaims = true;

                options.Events.RaiseSuccessEvents = true;

                options.Events.RaiseFailureEvents = true;

                options.Events.RaiseErrorEvents = true;

            });

            //设置加密证书

            idServer.AddSigningCredential(new RsaSecurityKey(rsa));

            idServer.AddInMemoryApiResources(Config.GetApiResources());

            idServer.AddInMemoryIdentityResources(Config.GetIdentityResources());

            idServer.AddInMemoryClients(Config.GetClients());

            services.AddTransient<IMyUserStore, MyUserStore>();

            services.AddTransient<IProfileService, MyProfile>();

            services.AddTransient<IResourceOwnerPasswordValidator, MyUserValidator>();

            #endregion

        }

  

 public class MyProfile : IProfileService

     {

         private readonly IMyUserStore _myUserStore;

         public MyProfile(IMyUserStore myUserStore)

         {

             _myUserStore = myUserStore;

         }

         public Task GetProfileDataAsync(ProfileDataRequestContext context)

         {

             var subjectId = context.Subject.GetSubjectId();

             var user = _myUserStore.GetUserById(subjectId);

             var claims = new List<Claim>

             {

                 new Claim("role",  user.Role),

                 new Claim("userguid", user.SubjectId),

                 new Claim("abc", "这是自定义的值。……。。…。……。……")

             };

             var q = context.RequestedClaimTypes;

             context.AddRequestedClaims(claims);

             context.IssuedClaims.AddRange(claims);

             return Task.FromResult();

         }

         public Task IsActiveAsync(IsActiveContext context)

         {

             var user = _myUserStore.GetUserById(context.Subject.GetSubjectId());

             context.IsActive = (user != null);

             return Task.FromResult();

         }

     }
 public interface IMyUserStore

     {

         JUser Find(string username, string userpass);

         JUser GetUserById(string subjectId);

     }

     public class MyUserStore : IMyUserStore

     {

         readonly IOptions<AppSetting> _options;

         readonly IMemoryCache _memoryCache;

         private const string CACHENAME = "MyUserStore";

         public MyUserStore(IOptions<AppSetting> options, IMemoryCache m_memoryCache)

         {

             _options = options;

             _memoryCache = m_memoryCache;

         }

         public List<JUser> GetList(bool reload=true)

         {

             if (reload)

             {

                 _memoryCache.Remove(CACHENAME);

             }

             List<JUser> list;

             if (!_memoryCache.TryGetValue(CACHENAME, out list)){

                 using(MySqlConnection conn = new MySqlConnection(_options.Value.ConnectionString))

                 {

                     list = conn.Query<JUser>("select * from juser").ToList();

                     //添加超级用户

                     JUser jc = new JUser()

                     {

                         UserName = _options.Value.SuperUserName,

                         UserPass = StringHelper.GetMd5(_options.Value.SuperPassword),

                         SubjectId = "a36005e2-5984-41f5-aa91-8e93b479d88e",

                         Role = "IdServerAdmin"

                     };

                     list.Add(jc);

                 }

                 _memoryCache.Set(CACHENAME, list);

             }

             return list;

         }

         public JUser Find(string username, string userpass)

         {

             var list = GetList();

             return list.SingleOrDefault(p => p.UserName == username && p.UserPass == StringHelper.GetMd5(userpass));

         }

         public JUser GetUserById(string subjectId)

         {

             var list = GetList();

             return list.SingleOrDefault(p => p.SubjectId == subjectId);

         }
 public class MyUserValidator : IResourceOwnerPasswordValidator

     {

         readonly IMyUserStore _myUserStore;

         public MyUserValidator(IMyUserStore myUserStore)

         {

             _myUserStore = myUserStore;

         }

         public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)

         {

             var q = _myUserStore.Find(context.UserName, context.Password);

             if (q != null)

             {

                 //验证成功

                 //使用subject可用于在资源服务器区分用户身份等等

                 //获取:资源服务器通过User.Claims.Where(l => l.Type == "sub").FirstOrDefault();

                 var claims = new List<Claim>();

                 claims.Add(new Claim("role", q.Role));

                 claims.Add(new Claim("userguid", q.SubjectId));

                 context.Result = new GrantValidationResult(subject: $"{q.SubjectId}", authenticationMethod: "custom", claims: claims.AsEnumerable());

             }

             else

             {

                 //验证失败

                 context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "无效的用户凭证");

             }

             return Task.FromResult();

         }

     }

二、客户端:

  /// <summary>

         /// 设置认证客户端

         /// </summary>

         /// <param name="services"></param>

         private void SetIdentityClient(IServiceCollection services)

         {

             var ServerUrl = Configuration.GetSection("AppSetting:ServerUrl").Value;

             var client_id = Configuration.GetSection("AppSetting:SuperClientId").Value;

             var cient_secret = Configuration.GetSection("AppSetting:SuperClientSecret").Value;

             //services.Configure<MvcOptions>(options =>

             //{

             //    // Set LocalTest:skipSSL to true to skip SSL requrement in

             //    // debug mode. This is useful when not using Visual Studio.

             //    options.Filters.Add(new RequireHttpsAttribute());

             //});

             JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

             var idClient = services.AddAuthentication(options =>

             {

                 options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

                 options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

             })

             .AddCookie()

             .AddOpenIdConnect(options =>

             {

                 options.SignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;

                 options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // cookie middle setup above

                 options.Authority = ServerUrl; // 认证服务器

                 options.RequireHttpsMetadata = true; // SSL Https模式

                 options.ClientId = client_id; // 客户端(位于认证服务器)

                 options.ClientSecret = cient_secret;  // 客户端(位于认证服务器)

                 options.ResponseType = "code id_token"; // means Hybrid flow (id + access token)

                 options.GetClaimsFromUserInfoEndpoint = false;

                 options.SaveTokens = true;

                 options.TokenValidationParameters = new TokenValidationParameters

                 {

                     NameClaimType = "name",

                     RoleClaimType = "role"

                 };

                 options.Scope.Clear();

                 options.Scope.Add("openid");

                 options.Scope.Add("profile");

                 options.Scope.Add("IdServerAdmin_API");

                 options.Events = new OpenIdConnectEvents()

                 {

                     OnMessageReceived = (context) =>

                     {

                         return Task.FromResult();

                     },

                     OnUserInformationReceived = (context) =>

                     {

                         return Task.FromResult();

                     },

                     OnRedirectToIdentityProvider = (context) =>

                     {

                         //设置重定向地址,解决生产环境nginx+https访问,还是有问题。。。。。。。

                         context.Properties.RedirectUri = $"{ClientUrl}/signin-oidc";

                         //context.ProtocolMessage.RedirectUri = $"{ClientUrl}/signin-oidc";

                         return Task.FromResult();

                     },

                     OnTokenValidated = (context) =>

                     {

                         //context.Properties.RedirectUri = $"{ClientUrl}/signin-oidc";

                         return Task.FromResult();

                     },

                 };

             });

         }

IdentityServer4-HybridAndClientCredentials的更多相关文章

  1. IdentityServer4 简单使用,包括api访问控制,openid的授权登录,js访问

    写在前面 先分享一首数摇:http://music.163.com/m/song?id=36089751&userid=52749763 其次是:对于identityServer理解并不是特别 ...

  2. IdentityServer4 实现 OpenID Connect 和 OAuth 2.0

    关于 OAuth 2.0 的相关内容,点击查看:ASP.NET WebApi OWIN 实现 OAuth 2.0 OpenID 是一个去中心化的网上身份认证系统.对于支持 OpenID 的网站,用户不 ...

  3. 【ASP.NET Core分布式项目实战】(三)整理IdentityServer4 MVC授权、Consent功能实现

    本博客根据http://video.jessetalk.cn/my/course/5视频整理(内容可能会有部分,推荐看源视频学习) 前言 由于之前的博客都是基于其他的博客进行开发,现在重新整理一下方便 ...

  4. 使用 IdentityServer4 实现 OAuth 2.0 与 OpenID Connect 服务

    IdentityServer4 是 ASP.NET Core 的一个包含 OIDC 和 OAuth 2.0 协议的框架.最近的关注点在 ABP 上,默认 ABP 也集成 IdentityServer4 ...

  5. IdentityServer4 中文文档 -14- (快速入门)使用 ASP.NET Core Identity

    IdentityServer4 中文文档 -14- (快速入门)使用 ASP.NET Core Identity 原文:http://docs.identityserver.io/en/release ...

  6. IdentityServer4 中文文档 -13- (快速入门)切换到混合流并添加 API 访问

    IdentityServer4 中文文档 -13- (快速入门)切换到混合流并添加 API 访问 原文:http://docs.identityserver.io/en/release/quickst ...

  7. IdentityServer4【QuickStart】之使用asp.net core Identity

    使用asp.net core Identity IdentityServer灵活的设计中有一部分是可以将你的用户和他们的数据保存到数据库中的.如果你以一个新的用户数据库开始,那么,asp.net co ...

  8. webapi core2.1 IdentityServer4.EntityFramework Core进行配置和操作数据

    https://identityserver4.readthedocs.io/en/release/quickstarts/8_entity_framework.html 此连接的实践 vscode ...

  9. IdentityServer4 Hybrid 模式

    原文参考:Switching to Hybrid Flow and adding API Access back 接上篇:IdentityServer-Protecting an API using ...

  10. IdentityServer4中文文档

    欢迎IdentityServer4 IdentityServer4是ASP.NET Core 2的OpenID Connect和OAuth 2.0框架. 它在您的应用程序中启用以下功能: 认证即服务 ...

随机推荐

  1. Linux思维导图之用户、组和权限

    安全3A: Authenticanion认证:验证用户身份; 授权授权;依据身份进行不同权利的分配.Acouting | 劲舞团审计:监督工作. user:id -u 令牌:(护符)ID号 .Linu ...

  2. 3. IDEA 的样式设置和快捷键设置

    一.样式设置 首先打开IDEA之后,点击任务栏的“File”→Settings 二.设置快捷键 1.首先打开IDEA之后,点击任务栏的“File”. 2.在下拉列表中中选择“Settings” 3.在 ...

  3. java获取文件的父目录

    File file = new File("a.txt"); String parentPath = file.getParent(); // null File parentDi ...

  4. Spring Cloud-hystrix Dashboard(八)

    单机模式 1.创建一个dashboard项目 2.引入依赖 <!--histrix依赖--> <dependency> <groupId>org.springfra ...

  5. 洛谷 P1129 BZOJ 1059 cogs 660 [ZJOI2007]矩阵游戏

    题目描述 小Q是一个非常聪明的孩子,除了国际象棋,他还很喜欢玩一个电脑益智游戏――矩阵游戏.矩阵游戏在一个N*N黑白方阵进行(如同国际象棋一般,只是颜色是随意的).每次可以对该矩阵进行两种操作: 行交 ...

  6. 善用性能工具进行SQL整体优化

    SQL优化是一个复杂的工程,首先要讲究从整体到局部.今天我们首先学习关于数据库整体优化都有哪些性能工具,接着分析这些工具的特点,并结合案例进行探索,最后再进行总结和思考. 总体学习思路如下图所示: 都 ...

  7. [bzoj3505][CQOI2014]数三角形_组合数学

    数三角形 bzoj-3505 CQOI-2014 题目大意:给你一个n*m的网格图,问你从中选取三个点,能构成三角形的个数. 注释:$1\le n,m\le 1000$. 想法:本来是想着等中考完了之 ...

  8. 1016. Phone Bills (25)——PAT (Advanced Level) Practise

    题目信息: 1016. Phone Bills (25) 时间限制 400 ms 内存限制 32000 kB 代码长度限制 16000 B 判题程序 Standard 作者 CHEN, Yue A l ...

  9. 微信企业号回调模式配置解说 Java Servlet+Struts2版本号 echostr校验失败解决

    微信企业号回调模式配置解说 Java Servlet+Struts2版本号 echostr校验失败解决 echostr校验失败,请您检查是否正确解密并输出明文echostr 异常java.securi ...

  10. java,wavToMP3格式转换

    这里须要用到一个jar包:jave-1.0.1.jar,下载地址的话自己百度吧. 废话不多说直接贴代码: import it.sauronsoftware.jave.AudioAttributes; ...