我希望我的身份认证服务器 Identity Server 4 可以为某些注册客户端提供额外的服务(例如
我考虑为该服务定义一个 API(例如名为 "myAdditionalService"),以便根据配置向客户授予对此类服务的访问权限。但是,我不确定如何限制访问端点(MVC - Action 方法),仅允许允许使用API的客户端(可能代表用户)访问。
我发现可以使用以下方法:
但是我在日志中看到了这个:
"MyAdditionalService"
)。这项服务将通过在服务器上定义的自定义端点由他们使用。我考虑为该服务定义一个 API(例如名为 "myAdditionalService"),以便根据配置向客户授予对此类服务的访问权限。但是,我不确定如何限制访问端点(MVC - Action 方法),仅允许允许使用API的客户端(可能代表用户)访问。
我发现可以使用以下方法:
services.AddAuthorization(options =>
{
options.AddPolicy("MyAdditionalServicePolicy",
policy => policy.RequireClaim("scope",
"myAdditionalService"));
});
您需要使用属性[Authorize("MyAdditionalServicePolicy")]
来装饰用于访问此类服务的动作方法。但是,我不知道服务器是否可以同时充当API,甚至是否可能。
如何实现这一点?令人困惑的是,令牌服务也扮演着API的角色,因为它保护了对动作方法或端点的访问。
谢谢。
更新:
我的Web应用程序是IdentityServerWithAspNetIdentity,已经使用了Asp.net core Identity的身份验证机制。为了举例说明,我的Web应用程序提供给某些注册客户的附加服务是用户的Twitter好友列表(建模在名为Twitter的控制器上,动作名为ImportFriends),因此API被称为“TwitterFriends”。
根据下面的响应建议,我修改了Configure()
方法,使其具有app.UseJwtBearerAuthentication()
。我已经像下面显示的那样使用了app.UseIdentity()
和app.UseIdentityServer()
:
app.UseIdentity();
app.UseIdentityServer();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AuthenticationScheme = "Bearer",
Authority = Configuration["BaseUrl"],
Audience = "TwitterFriends",
RequireHttpsMetadata = false //TODO: make true, it is false for development only
});
// Add external authentication middleware below. To configure them please see http://go.microsoft.com/fwlink/?LinkID=532715
app.UseGoogleAuthentication(new GoogleOptions
{
AuthenticationScheme = "Google",
SignInScheme = "Identity.External", // this is the name of the cookie middleware registered by UseIdentity()
而在专用控制器上:
[Authorize(ActiveAuthenticationSchemes = "Identity.Application,Bearer")]
//[Authorize(ActiveAuthenticationSchemes = "Identity.Application")]
//[Authorize(ActiveAuthenticationSchemes = "Bearer")]
[SecurityHeaders]
public class TwitterController : Controller
{...
但是我在日志中看到了这个:
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[7]
Identity.Application was not authenticated. Failure message: Unprotect tic
ket failed
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed for user: (null).
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.A
uthorization.AuthorizeFilter'.
info: Microsoft.AspNetCore.Mvc.ChallengeResult[1]
Executing ChallengeResult with authentication schemes (Identity.Applicatio
n, Bearer).
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware
[12]
AuthenticationScheme: Identity.Application was challenged.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[12]
AuthenticationScheme: Bearer was challenged.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action IdentityServerWithAspNetIdentity.Controllers.TwitterContro
ller.ImportFriends (IdentityServerWithAspNetIdentity) in 86.255ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 105.2844ms 401
我尝试了不同的属性组合,但在这种情况下,Identity.Application和Bearer似乎无法共存:会收到401错误。
非常感谢任何帮助。