使用Asp.Net MVC应用程序设置IdentityServer

2018-06-08 23:16:28

我提前道歉，因为我几乎没有安全知识，特别是身份识别服务器。

我正在尝试设置IdentityServer以管理Asp.Net MVC应用程序的安全性。

我在他们的网站上查看教程：使用IdentityServer的Asp.Net MVC

但是，我做的事情略有不同，因为我有一个单独的Identity“Server”部分项目，这导致了2个Startup.cs文件，一个用于应用程序，另一个用于Identity Server

对于该应用程序，Startup.cs文件如下所示

public class Startup
{
     public void Configuration(IAppBuilder app)
     {
         AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
         JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
         app.UseCookieAuthentication(new CookieAuthenticationOptions
         {
            AuthenticationType = "Cookies"
         });

         app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
         {
            Authority = "https://localhost:44301/identity",
            ClientId = "baseballStats",
            Scope = "openid profile roles baseballStatsApi",
            RedirectUri = "https://localhost:44300/",
            ResponseType = "id_token token",
            SignInAsAuthenticationType = "Cookies",
            UseTokenLifetime = false,
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = async n =>
                {
                    var userInfoClient = new UserInfoClient(
                                 new Uri(n.Options.Authority + "/connect/userinfo"),
                                 n.ProtocolMessage.AccessToken);

                    var userInfo = await userInfoClient.GetAsync();

                    // create new identity and set name and role claim type
                    var nid = new ClaimsIdentity(
                       n.AuthenticationTicket.Identity.AuthenticationType,
                        Constants.ClaimTypes.GivenName,
                        Constants.ClaimTypes.Role);

                    userInfo.Claims.ToList().ForEach(c => nid.AddClaim(new Claim(c.Item1, c.Item2)));

                    // keep the id_token for logout
                    nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                    // add access token for sample API
                    nid.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));

                    // keep track of access token expiration
                    nid.AddClaim(new Claim("expires_at", DateTimeOffset.Now.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn)).ToString()));

                    // add some other app specific claim
                    nid.AddClaim(new Claim("app_specific", "some data"));

                    n.AuthenticationTicket = new AuthenticationTicket(
                        nid,
                        n.AuthenticationTicket.Properties);
                }
            }
         });

         app.UseResourceAuthorization(new AuthorizationManager());

         app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
         {
             Authority = "https://localhost:44301/identity",
             RequiredScopes = new[] { "baseballStatsApi"}
         });

         var config = new HttpConfiguration();
         config.MapHttpAttributeRoutes();
         app.UseWebApi(config);
     }
}

对于身份服务器，startup.cs文件是

 public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            idsrvApp.UseIdentityServer(new IdentityServerOptions
            {
                SiteName = "Embedded IdentityServer",
                SigningCertificate = LoadCertificate(),

                Factory = InMemoryFactory.Create(
                    users: Users.Get(),
                    clients: Clients.Get(),
                    scopes: Scopes.Get())
            });
        });
    }

    X509Certificate2 LoadCertificate()
    {
        return new X509Certificate2(
            string.Format(@"{0}binConfigurationidsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");
    }
}

我也正在设立一个授权管理器

public class AuthorizationManager : ResourceAuthorizationManager
{
    public override Task<bool> CheckAccessAsync(ResourceAuthorizationContext context)
    {
        switch (context.Resource.First().Value)
        {                    
            case "Players":
                return CheckAuthorization(context);
            case "About":
                return CheckAuthorization(context);
            default:
                return Nok();
        }
    }

    private Task<bool> CheckAuthorization(ResourceAuthorizationContext context)
    {
        switch(context.Action.First().Value)
        {
            case "Read":
                return Eval(context.Principal.HasClaim("role", "LevelOneSubscriber"));
            default:
                return Nok();
        }
    }
}

因此，例如，如果我定义了一个用ResourceAuthorize属性装饰的控制器方法，就像这样

 public class HomeController : Controller
{

    [ResourceAuthorize("Read", "About")]
    public ActionResult About()
    {
        return View((User as ClaimsPrincipal).Claims);
    }
}

然后，当我第一次尝试访问此方法时，我将被重定向到默认登录页面。

然而，我不明白的是，为什么当我用我为应用程序定义的用户登录时（见下文），

public class Users
{
    public static List<InMemoryUser> Get()
    {
        return new List<InMemoryUser>
        {
            new InMemoryUser
            {
                Username = "bob",
                Password = "secret",
                Subject = "1",

                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Bob"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Smith"),
                    new Claim(Constants.ClaimTypes.Role, "Geek"),
                    new Claim(Constants.ClaimTypes.Role, "LevelOneSubscriber")
                }
            }
        };
    }
}

我得到一个403错误，承载错误=“insufficient_scope”。

任何人都可以解释我做错了什么吗？

任何后续尝试访问操作方法都将返回相同的错误。在我看来，我定义的用户具有能够访问此方法的正确声明。但是，索赔检查只发生一次，当我第一次尝试访问此方法。登录后，我得到一个cookie，并且在后续尝试访问该方法期间不会进行索赔检查。

我有点失落，并希望得到一些帮助清理这个。

提前致谢。

编辑：这里是scoles和客户端类

public static class Scopes
{
    public static IEnumerable<Scope> Get()
    {
        var scopes = new List<Scope>
        {
            new Scope
            {
                Enabled = true,
                Name = "roles",
                Type = ScopeType.Identity,
                Claims = new List<ScopeClaim>
                {
                    new ScopeClaim("role")
                }
            },
            new Scope
            {
                Enabled = true,
                Name = "baseballStatsApi",
                Description = "Access to baseball stats API",
                Type = ScopeType.Resource,
                Claims = new List<ScopeClaim>
                {
                    new ScopeClaim("role")
                }
            }
        };

        scopes.AddRange(StandardScopes.All);

        return scopes;
    }
}

和客户端类

 public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new[]
        {
            new Client 
            {
                Enabled = true,
                ClientName = "Baseball Stats Emporium",
                ClientId = "baseballStats",
                Flow = Flows.Implicit,                    

                RedirectUris = new List<string>
                {
                    "https://localhost:44300/"
                }
            },
            new Client
            {
                Enabled = true,
                ClientName = "Baseball Stats API Client",
                ClientId = "baseballStats_Api",
                ClientSecrets = new List<ClientSecret>
                {
                    new ClientSecret("secret".Sha256())
                },
                Flow = Flows.ClientCredentials
            }
        };
    }
}

我还创建了一个自定义筛选器属性，用于确定何时进行索赔检查。

public class CustomFilterAttribute : ResourceAuthorizeAttribute
{
     public CustomFilterAttribute(string action, params string[] resources) : base(action, resources)
    {
    }

    protected override bool CheckAccess(HttpContextBase httpContext, string action, params string[] resources)
    {
        return base.CheckAccess(httpContext, action, resources);
    }
}

该断点仅在对该网址的初始请求中被命中。在随后的请求中，过滤器属性断点未命中，因此不会发生检查。这对我来说很令人惊讶，因为我认为每次请求url都必须进行检查。

您需要在用户登录时请求api所需的作用域Scope = "openid profile roles baseballStatsApi"

                Authority = "https://localhost:44301/identity",

                ClientId = "baseballStats",
                Scope = "openid profile roles baseballStatsApi",
                ResponseType = "id_token token",
                RedirectUri = "https://localhost:44300/",

                SignInAsAuthenticationType = "Cookies",
                UseTokenLifetime = false,

链接地址: http://www.djcxy.com/p/27013.html

上一篇: Setting up IdentityServer wtih Asp.Net MVC Application

下一篇: Aspectj: Pointcut on lambda expression