Authorization and authentication with Microservices

2018-06-07 06:20:18

I have a mobile (native) and web app (SPA) that talks to backend microservices (developed in core 2.0) for authentication/authorization and other domain related functions, which has configured using Opendidict. Both apps are getting access token. What I'm struggling with is, all microservices should accept bearer access token and authentication/authorization logged in user (a central auth-service), access token generated in auth microservice (OpenIddict 2.*). So what changes I'm missing in microservices, where REST APIs are marked [Authorize]?

Code from Auth Microservice:

public void ConfigureServices(IServiceCollection services)
{
    var connection = Configuration.GetConnectionString("DefaultConnection");

    services.AddDbContext<IdentityDbContext>(options =>
    {
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
        options.UseOpenIddict();
    });

    services.AddAuthentication().AddOAuthValidation();

    services.AddOpenIddict(options =>
    {
        options.AddEntityFrameworkCoreStores<IdentityDbContext>();
        options.AddMvcBinders();
        options.EnableTokenEndpoint("/connect/token");
        // Enable the password flow.
        options.AllowPasswordFlow().AllowRefreshTokenFlow();
        options.SetRefreshTokenLifetime(TimeSpan.FromHours(1));
        options.DisableHttpsRequirement();
    });

    services.AddDbContext<AuthDbContext>(options => options.UseSqlServer(connection));
    services.AddScoped<IUserRepository, UserRepository>();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
    });
}

Existing code in Notification Microservice

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<MastersDbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    services.AddAuthentication().AddOAuthValidation();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
    });

    services.AddAuthorization(options =>
    {
        options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
    });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    app.UseCors(builder =>
        builder.WithOrigins("*")
            .AllowAnyHeader()
            .AllowAnyMethod()
            .AllowAnyOrigin()
    );

    //app.UseAntiforgeryToken();
    app.UseMvc();
    app.UseAuthentication();
}

Notification Controller:

// POST api/values
[HttpPost]
[Authorize]
public IActionResult Post(Notification notification)
{
    //logic
    return Ok();
}

For tokens to be correctly decrypted by all your micro-services, you need to make sure that the key ring containing the master keys (that are derived by ASP.NET Core Data Protection to create encryption and validation keys) is correctly synchronized. The procedure is described here: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview.

Here's an example of how it could be done using a shared folder:

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"serversharedirectory"))
}

You'll also need to configure the two applications to use the same "application discriminator":

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(@"serversharedirectory"))
        .SetApplicationName("Your application name");
}

链接地址: http://www.djcxy.com/p/22282.html

上一篇: HttpOnly Cookie如何与AJAX请求一起使用？

下一篇: 微服务的授权和认证