1. Start writing before wanted to say
I am white, a recent study of identity server4, when the device flow study found that almost found less any relevant articles, so I decided to simply remember my device flow realization of this demo.
2. Preliminaries
- https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.2 OAuth2.0 official documents Flow Device
- Device flow application scenarios: For some of the devices do not have a browser (such things apparatus, native app, etc.), so this simulation are used postman request. [In addition to the intermediate user interaction process requires the use of a browser]
- Accessing HTTP: 6001 / .well-Known / openid-the Configuration: // localhost Endpoin obtained after a few need to use
token_endpoint: "http://localhost:6001/connect/token" userinfo_endpoint: "http://localhost:6001/connect/userinfo" device_authorization_endpoint: "http://localhost:6001/connect/deviceauthorization"
3. Configure Identity server
This is not the introductory tutorial, so I just put client configuration code.
// device client new Client { ClientId = "device_id", ClientName = "client for device", AllowedGrantTypes = GrantTypes.DeviceFlow, ClientSecrets = new List<Secret> { new Secret("device_secret".Sha256()) }, AccessTokenType = AccessTokenType.Jwt, AllowedScopes = new List<string>{"openid", "profile", "api1"}, }
Configuring the protected resources
services.AddAuthentication ( " Bearer " ) // add authentication services to DI, and configure the "Bearer" as the default authentication scheme .AddJwtBearer ( " Bearer " , Options => { options.Authority = " HTTP: // localhost: 6001 " ; // Base URL of the Authorization Server options.RequireHttpsMetadata = to false ; options.Audience = " API1 " ; // audience audience });
app.UseAuthentication (); // add to seriously middleware pipeline, such certification will be carried out every time each call.
The controller protected resources:
[Route("identity")] [Authorize] public class IdentityController : ControllerBase { [HttpGet] public IActionResult Get() { return new JsonResult(from c in User.Claims select new { c.Type, c.Value }); } }
Protected resource access address is: http: // localhost: 5001 / identity
5. Start project test
OAuth2.0 official document said the request format:
I passed the postman tested and found not work, final test discovery request also needed to pass client_secret this parameter, the request as follows:
Testing will be returned to us device_code, now we use device_code to the token endpoint (http: // localhost: 6001 / connect / token) request token, would prompt: authorization_pending, because this device_code has not been licensed users, it will Tip is pending authorization. As an official document said:
所以,现在需要一个用户交互的流程,在浏览器中访问verification_url里的地址,然后登陆,会提示是否授权,选择授权即可。授权后,测试就可以到token端点(http://localhost:6001/connect/token)请求token了,如下图:
有了token后,就可以访问被保护的资源了(用Access_token):
同时也可以用id_token到userinfo端点访问用户信息了:
至此,关于device flow简单的介绍完毕。