在 IdentityServer4 中创建客户端

创建客户端

在创建了 IdentityServer4 服务器之后，我们可以准备从获取一个访问令牌开始。

1. 客户端凭证式验证流

在 OpenID Connect 中，最为简单的验证方式为客户端凭借方式了。我们从这种方式开始。OpenID Connect 是 OAuth 的扩展，我们找一段阮一峰的博客来进行说明。

第四种方式：凭证式

最后一种方式是凭证式（client credentials），适用于没有前端的命令行应用，即在命令行下请求令牌。

第一步，A 应用在命令行向 B 发出请求。
https://oauth.b.com/token?

  grant_type=client_credentials&

  client_id=CLIENT_ID&

  client_secret=CLIENT_SECRET
上面 URL 中，grant_type参数等于client_credentials表示采用凭证式，client_id和client_secret用来让 B 确认 A 的身份。

第二步，B 网站验证通过以后，直接返回令牌。

这种方式给出的令牌，是针对第三方应用的，而不是针对用户的，即有可能多个用户共享同一个令牌。

原文地址：http://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html

2. 服务器端实现

实际的服务端点在上一篇中，通过访问端点 http://localhost:5000/.well-known/openid-configuration 就可以得到，从响应的结果中可以找到如下的一行：

 "token_endpoint": "http://localhost:5000/connect/token",

而客户端的标示和密钥则需要我们在服务器端提供。

将上一个项目中的 Config.cs 文件替换为如下内容，代码中硬编码了客户端的标识为 client ，密钥为 secret。

// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.

// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.

using IdentityServer4.Models;

using System.Collections.Generic;

namespace IdentityServer

{

    public static class Config

    {

        public static IEnumerable<IdentityResource> Ids =>

            new IdentityResource[]

            {

                new IdentityResources.OpenId()

            };

        // scopes define the API resources in your system

        public static IEnumerable<ApiResource> Apis =>

            new List<ApiResource>

            {

                new ApiResource("api1", "My API")

            };

        // clients want to access resources (aka scopes)

        public static IEnumerable<Client> Clients =>

            new List<Client>

            {

                new Client

                {

                    ClientId = "client",

                    AllowedGrantTypes = GrantTypes.ClientCredentials,

                    ClientSecrets =

                    {

                        new Secret("secret".Sha256())

                    },

                    AllowedScopes = { "api1" }

                }

            };

    }

}

在这里通过 Apis 这个委托提供了 API 资源，通过 Clients 这个委托提供了客户端的凭据。

在启动应用之后，我们可以访问服务器来获取令牌。

3. 获取访问令牌

这里，我们使用 Postman 来完成。

将请求的发送方式修改为 Post

地址设置为：http://localhost:5000/connect/token

请求的 Body ，在 Body 的设置中，首先选中格式：x-www-form-urlencoded，提供如下三个参数：

KEY	VALUE
grant_type	client_credentials
client_id	Client
client_secret	Secret

点击 Send 按钮，发送请求之后，就应该可以看到如下的响应内容：

{

    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IklWR2VMQ3h5NFJjcWJnbmUxb1JVN3ciLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1ODU4MTQwNzMsImV4cCI6MTU4NTgxNzY3MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoiYXBpMSIsImNsaWVudF9pZCI6ImNsaWVudCIsInNjb3BlIjpbImFwaTEiXX0.R5RNGRM6bVvdNIgdXnD-QK5HK-kHA5hcZ-ltn0K3kLZp9R3BGQeg5qfnQXT4sU2CqPGYIatwbZY3bysQ9krkq5BpWzSzwY7EYPybsP3gty0BUK2QXnEwxsT1boN_cM2Hw9ua4nal3IHB4XJJkMj7jo33S8NtQQyJr26_G1WqlOgvlVfUiPYQWiY9OHPgTAIqrU_4aogoxiC84lHWC5Pf6oX6jxLoAWzKkhl-NdH33gW169xdtkPXp51XpbXhxNujBo7LAVOI-_5ztouuYLShOf5bOt1bunHfeNCv1DPl2rBsfFITjkoltQXVrTSZGLEQgNH_ryBqdoTyM-jWP1HN4g",

    "expires_in": 3600,

    "token_type": "Bearer",

    "scope": "api1"

}

4. 实现自定义的存储

这个 Config 中提供的静态属性只是为了方便进行简单的测试，在 IdentityServer4 内部，定义了验证客户端的接口 IClientStore，如下所示：

// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.

// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.

using IdentityServer4.Models;

using System.Threading.Tasks;

namespace IdentityServer4.Stores

{

    /// <summary>

    /// Retrieval of client configuration

    /// </summary>

    public interface IClientStore

    {

        /// <summary>

        /// Finds a client by id

        /// </summary>

        /// <param name="clientId">The client id</param>

        /// <returns>The client</returns>

        Task<Client> FindClientByIdAsync(string clientId);

    }

}

源码地址：https://github.com/IdentityServer/IdentityServer4/blob/master/src/Storage/src/Stores/IClientStore.cs

在 IdentityServer4 的内部，也实现了一个基于内存中集合实现的内存中客户端存储 InMemoryClientStore，代码实现如下：

// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.

// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.

using IdentityServer4.Extensions;

using IdentityServer4.Models;

using System;

using System.Collections.Generic;

using System.Linq;

using System.Threading.Tasks;

namespace IdentityServer4.Stores

{

    /// <summary>

    /// In-memory client store

    /// </summary>

    public class InMemoryClientStore : IClientStore

    {

        private readonly IEnumerable<Client> _clients;

        /// <summary>

        /// Initializes a new instance of the <see cref="InMemoryClientStore"/> class.

        /// </summary>

        /// <param name="clients">The clients.</param>

        public InMemoryClientStore(IEnumerable<Client> clients)

        {

            if (clients.HasDuplicates(m => m.ClientId))

            {

                throw new ArgumentException("Clients must not contain duplicate ids");

            }

            _clients = clients;

        }

        /// <summary>

        /// Finds a client by id

        /// </summary>

        /// <param name="clientId">The client id</param>

        /// <returns>

        /// The client

        /// </returns>

        public Task<Client> FindClientByIdAsync(string clientId)

        {

            var query =

                from client in _clients

                where client.ClientId == clientId

                select client;

            return Task.FromResult(query.SingleOrDefault());

        }

    }

}

源码地址：https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Stores/InMemory/InMemoryClientStore.cs

你看，我们只需要传一个 Client 的可迭代对象就可以构造这样一个 InMemoryClientStore 对象实例。实际上，我们调用的 AddInMemoryClients 这个扩展方法确实就是这么做的：

/// <summary>

/// Adds the in memory clients.

/// </summary>

/// <param name="builder">The builder.</param>

/// <param name="clients">The clients.</param>

/// <returns></returns>

public static IIdentityServerBuilder AddInMemoryClients(this IIdentityServerBuilder builder, IEnumerable<Client> clients)

{

  builder.Services.AddSingleton(clients);

  builder.AddClientStore<InMemoryClientStore>();

  var existingCors = builder.Services.Where(x => x.ServiceType == typeof(ICorsPolicyService)).LastOrDefault();

  if (existingCors != null &&

      existingCors.ImplementationType == typeof(DefaultCorsPolicyService) &&

      existingCors.Lifetime == ServiceLifetime.Transient)

  {

    // if our default is registered, then overwrite with the InMemoryCorsPolicyService

    // otherwise don't overwrite with the InMemoryCorsPolicyService, which uses the custom one registered by the host

    builder.Services.AddTransient<ICorsPolicyService, InMemoryCorsPolicyService>();

  }

  return builder;

}

源码地址：https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Configuration/DependencyInjection/BuilderExtensions/InMemory.cs

这里使用了依赖注入完成 InMemoryClientStore 的构造注入。

好了，我们自己实现一个自定义的客户端凭据存储。比如 CustomClientStore。

在构造函数中，我们构建了内部存储客户端凭据的集合，由于实现了 IClientStore ，在实现的方法中，提供了检索客户端端的实现，其实这个方法完全从 InMemoryClientStore 复制过来的。

using IdentityServer4.Models;

using IdentityServer4.Stores;

using System.Collections.Generic;

using System.Linq;

using System.Threading.Tasks;

namespace IdentityServer

{

    public class CustomClientStore : IClientStore

    {

        private readonly IEnumerable<Client> _clients;

        public CustomClientStore()

        {

            _clients = new List<Client>

            {

                new Client

                {

                    ClientId = "client",

                    AllowedGrantTypes = GrantTypes.ClientCredentials,

                    ClientSecrets =

                    {

                        new Secret("secret".Sha256())

                    },

                    AllowedScopes = { "api1" }

                }

            };

        }

        public Task<Client> FindClientByIdAsync(string clientId)

        {

            var query =

                from client in _clients

                where client.ClientId == clientId

                select client;

            return Task.FromResult(query.SingleOrDefault());

        }

    }

}

在 .NET Core 中，服务是通过依赖注入的方式被使用的，所以，我们需要注册这个服务。回到 Startup.cs 这个文件，将 ConfigureServices() 方法替换为如下内容。

public void ConfigureServices(IServiceCollection services)

{

  // uncomment, if you want to add an MVC-based UI

  //services.AddControllersWithViews();

  services.AddSingleton<IClientStore, CustomClientStore>();

  var builder = services.AddIdentityServer()

    .AddInMemoryIdentityResources(Config.Ids)

    .AddInMemoryApiResources(Config.Apis);

  // not recommended for production - you need to store your key material somewhere secure

  builder.AddDeveloperSigningCredential();

}

主要做了两件事：

删除了原来的 .AddInMemoryClients(Config.Clients);
添加了 services.AddSingleton<IClientStore, CustomClientStore>(); 来注册服务实现

重新运行程序，并使用 Postman 访问，可以重新得到一个新的访问令牌。

控制台输出如下所示：

PS C:\temp\is4\IdentityServer> dotnet run

[02:06:36 Information]

Starting host...

[02:06:37 Information] IdentityServer4.Startup

Starting IdentityServer4 version 3.1.0.0

[02:06:37 Information] IdentityServer4.Startup

You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes

, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch

to a different store implementation.

[02:06:37 Information] IdentityServer4.Startup

Using the default authentication scheme idsrv for IdentityServer

[02:06:37 Debug] IdentityServer4.Startup

Using idsrv as default ASP.NET Core scheme for authentication

[02:06:37 Debug] IdentityServer4.Startup

Using idsrv as default ASP.NET Core scheme for sign-in

[02:06:37 Debug] IdentityServer4.Startup

Using idsrv as default ASP.NET Core scheme for sign-out

[02:06:37 Debug] IdentityServer4.Startup

Using idsrv as default ASP.NET Core scheme for challenge

[02:06:37 Debug] IdentityServer4.Startup

Using idsrv as default ASP.NET Core scheme for forbid

[02:06:59 Debug] IdentityServer4.Startup

Login Url: /Account/Login

[02:06:59 Debug] IdentityServer4.Startup

Login Return Url Parameter: ReturnUrl

[02:06:59 Debug] IdentityServer4.Startup

Logout Url: /Account/Logout

[02:06:59 Debug] IdentityServer4.Startup

ConsentUrl Url: /consent

[02:06:59 Debug] IdentityServer4.Startup

Consent Return Url Parameter: returnUrl

[02:06:59 Debug] IdentityServer4.Startup

Error Url: /home/error

[02:06:59 Debug] IdentityServer4.Startup

Error Id Parameter: errorId

[02:06:59 Debug] IdentityServer4.Hosting.EndpointRouter

Request path /connect/token matched to endpoint type Token

[02:06:59 Debug] IdentityServer4.Hosting.EndpointRouter

Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint

[02:06:59 Information] IdentityServer4.Hosting.IdentityServerMiddleware

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token

[02:06:59 Debug] IdentityServer4.Endpoints.TokenEndpoint

Start token request.

[02:06:59 Debug] IdentityServer4.Validation.ClientSecretValidator

Start client validation

[02:06:59 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser

Start parsing Basic Authentication secret

[02:06:59 Debug] IdentityServer4.Validation.PostBodySecretParser

Start parsing for secret in post body

[02:06:59 Debug] IdentityServer4.Validation.SecretParser

Parser found secret: PostBodySecretParser

[02:06:59 Debug] IdentityServer4.Validation.SecretParser

Secret id found: client

[02:06:59 Debug] IdentityServer4.Validation.SecretValidator

Secret validator success: HashedSharedSecretValidator

[02:06:59 Debug] IdentityServer4.Validation.ClientSecretValidator

Client validation success

[02:06:59 Debug] IdentityServer4.Validation.TokenRequestValidator

Start token request validation

[02:06:59 Debug] IdentityServer4.Validation.TokenRequestValidator

Start client credentials token request validation

[02:06:59 Debug] IdentityServer4.Validation.TokenRequestValidator

client credentials token request validation success

[02:06:59 Information] IdentityServer4.Validation.TokenRequestValidator

Token request validation success, {"ClientId": "client", "ClientName": null, "GrantType": "client_credentials", "Scopes"

: "api1", "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": nu

ll, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "client_id": "client", "client_secret": "**

*REDACTED***"}, "$type": "TokenRequestValidationLog"}

[02:06:59 Debug] IdentityServer4.Services.DefaultClaimsService

Getting claims for access token for client: client

[02:06:59 Debug] IdentityServer4.Endpoints.TokenEndpoint

Token request success.

通过 IdentityServer4 提供的扩展方法 AddClientStore() ，还可以使用 IdentityServer4 来完成服务的注册。

            var builder = services.AddIdentityServer()

                .AddInMemoryIdentityResources(Config.Ids)

                .AddInMemoryApiResources(Config.Apis)

                .AddClientStore<CustomClientStore>();

祝你顺利！