授权服务器设置
添加用户
添加测试用户,也可以从数据库查
public static List<TestUser> GetTestUser() { return new List<TestUser>() { new TestUser(){ SubjectId = "1", Username ="zps", Password = "zps", Claims = new List<Claim>(){ new Claim("role","zps"), new Claim("aaa","asdasdsd"), } }, new TestUser(){ SubjectId = "2", Username ="admin", Password = "admin", Claims = new List<Claim>(){ new Claim("role","admin") } } }; }
添加Api资源
添加api资源 ,api的key要和注册的client的api要匹配
public static IEnumerable<ApiResource> GetResource() { return new List<ApiResource>(){ new ApiResource("api","my api") }; }
添加客户端
- 客户端模式
- 密码模式
- 授权码模式
- 混合模式
授权码模式和mvc模式的时候 这两个模式先不管
//请求确认
RequireConsent = false, 这个属性要注意 如果是true 会先跳转到确认页面 然后再跳转到RedirectUris
public static IEnumerable<Client> GetClients() { return new List<Client>(){ new Client(){ ClientId="client", //客户端模式 AllowedGrantTypes=GrantTypes.ClientCredentials, ClientSecrets={new Secret("secret".Sha256())}, AllowedScopes={"api"} }, new Client(){ ClientId="pwdClient", //OAuth密码模式 AllowedGrantTypes=GrantTypes.ResourceOwnerPassword, ClientSecrets={new Secret("secret".Sha256())}, AllowedScopes={"api"} }, new Client { ClientId = "mvc", ClientName = "MVC Client", AllowedGrantTypes = GrantTypes.Hybrid, ClientSecrets = { new Secret("secret".Sha256()) }, // where to redirect to after login RedirectUris = { "http://localhost:5001/signin-oidc" }, RequireConsent = false, AllowOfflineAccess = true, // where to redirect to after logout PostLogoutRedirectUris = { "http://localhost:5001/signout-callback-oidc" }, AllowedScopes = new List<string> { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, } }, new Client { ClientId = "js", ClientName = "JavaScript Client", AllowedGrantTypes = GrantTypes.Code, RequirePkce = true, RequireClientSecret = false, RedirectUris = { "http://localhost:5003/callback.html" }, PostLogoutRedirectUris = { "http://localhost:5003/index.html" }, AllowedCorsOrigins = { "http://localhost:5003" }, RequireConsent = false, AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "api" } } }; }
添加IdentityServer 保护的资源
可以自定义Claim
public static IEnumerable<IdentityResource> GetIdentityResources() { return new IdentityResource[] { new IdentityResources.OpenId(), new IdentityResources.Profile(), }; }
把identityserver注入到容器
.AddDeveloperSigningCredential() 生成token 需要的密钥和公钥 正式环境需要换成正经的
o.UserInteraction.LoginUrl = "/Auth/Login";
o.UserInteraction.LogoutUrl = "/Auth/Logout";
o.UserInteraction.ErrorUrl = "/Auth/Error";
这三个是混合模式需要的 登录的地址 登出的地址 授权失败的地址
services.AddIdentityServer(o => { o.UserInteraction.LoginUrl = "/Auth/Login"; o.UserInteraction.LogoutUrl = "/Auth/Logout"; o.UserInteraction.ErrorUrl = "/Auth/Error"; }) .AddInMemoryIdentityResources(Config.GetIdentityResources()) .AddDeveloperSigningCredential() .AddInMemoryClients(Config.GetClients()) .AddInMemoryApiResources(Config.GetResource()) .AddTestUsers(Config.GetTestUser());
Configure把中间件加到netcore中
app.UseIdentityServer();
postman测试
- grant-type:密码模式对应 password
- username 用户名
- password 密码
- client_id 客户端id 对应 授权服务ClientId
- client_secret 客户端secret
