3d福利彩票,好牛168,蓝血魔域论坛
情景如下:一个客户端要访问一个api,不需要用户登录,但是又不想直接暴露api给外部使用,这时可以使用identityserver添加访问权限。
客户端通过clientid和secrect访问identitserver的token endpoint,获取accesstoken;
接着客户端再使用accesstoken作为头部验证访问webapi。(webapi已经添加了identityserver的相关验证)。
代码实现:其中 "http://localhost:5000"是identityserver地址,"http://localhost:5001"是api地址
identityserver:在identityserver添加api和客户端,如下所示:定义了一个api1资源,client客户端。client客户端指定为clientcredentials(客户端凭据)模式,并允许其访问api1。
public class config { // scopes define the api resources in your system public static ienumerable<apiresource> getapiresources() { return new list<apiresource> { new apiresource("api1", "my api") }; } // clients want to access resources (aka scopes) public static ienumerable<client> getclients() { // client credentials client return new list<client> { new client { clientid = "client", allowedgranttypes = granttypes.clientcredentials, clientsecrets = { new secret("secret".sha256()) }, allowedscopes = { "api1" } } }; } }
在startup配置identityserver如下:
public class startup { public void configureservices(iservicecollection services) { // configure identity server with in-memory stores, keys, clients and scopes services.addidentityserver() .adddevelopersigningcredential() .addinmemoryapiresources(config.getapiresources()) .addinmemoryclients(config.getclients()); } public void configure(iapplicationbuilder app, ihostingenvironment env) { if (env.isdevelopment()) { app.usedeveloperexceptionpage(); } app.useidentityserver(); } }
webapi:在api添加identityserver的验证,代码如下,其中定义了同样的api名称,"http://localhost:5000"是identityserver的地址。
public class startup { public void configureservices(iservicecollection services) { services.addmvccore() .addauthorization() .addjsonformatters(); services.addauthentication("bearer") .addidentityserverauthentication(options => { options.authority = "http://localhost:5000"; options.requirehttpsmetadata = false; options.apiname = "api1"; }); } public void configure(iapplicationbuilder app) { app.useauthentication(); app.usemvc(); } }
添加一个需要验证的控制器:
[route("[controller]")] [authorize] public class identitycontroller : controllerbase { [httpget] public iactionresult get() { return new jsonresult(from c in user.claims select new { c.type, c.value }); } }
客户端:
这里使用里identitymodel类库
实际请求如下:
1.获取accesstoken:http://localhost:5000/connect/token?client_id=client&client_secret=secret&grant_type=client_credentials&scope=api1
2.请求api1
http://localhost:5001/identity
headers
authorization:accesstoken
public class program { public static void main(string[] args) => mainasync().getawaiter().getresult(); private static async task mainasync() {
//获取identitserver的各个端点地址
var disco = await discoveryclient.getasync("http://localhost:5000"); if (disco.iserror) { console.writeline(disco.error); return; }
//获取具有api1访问权限的accesstoken
var tokenclient = new tokenclient(disco.tokenendpoint, "client", "secret"); var tokenresponse = await tokenclient.requestclientcredentialsasync("api1"); if (tokenresponse.iserror) { console.writeline(tokenresponse.error); return; } console.writeline(tokenresponse.json); console.writeline("\n\n");
//设置accesstoken为http请求头,并访问api1
var client = new httpclient(); client.setbearertoken(tokenresponse.accesstoken); var response = await client.getasync("http://localhost:5001/identity"); if (!response.issuccessstatuscode) { console.writeline(response.statuscode); } else { var content = await response.content.readasstringasync(); console.writeline(jarray.parse(content)); } } }
ps:
1.这里默认的accesstoken为jwt格式,客户端访问api时,api只需要在启动的时候访问identity获取秘钥即可。若为referencetoken,客户端访问api时,api需要授权访问的都会再请求一次identityserver,,而且api必须设置秘钥,client设置accesstokentype属性为reference。
2.可自定义accesstokenlifetime(token存活时间),默认是3600秒,即一小时
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!! 点击进行留言回复
Net Core Web Api项目与在NginX下发布的方法
asp.net core3.1 引用的元包dll版本兼容性问题解决方案
IdentityServer4实现.Net Core API接口权限认证(快速入门)
ASP.NET Core MVC通过IViewLocationExpander扩展视图搜索路径的实现
网友评论