你的位置:首页 > ASP.net教程

[ASP.net教程]ASP.NET Core实现OAuth2.0的ResourceOwnerPassword和ClientCredentials模式


前言

开发授权服务框架一般使用OAuth2.0授权框架,而开发Webapi的授权更应该使用OAuth2.0授权标准,OAuth2.0授权框架文档说明参考:https://tools.ietf.org/html/rfc6749

.NET Core开发OAuth2的项目需要使用IdentityServer4(现在还处于RC预发行版本),可参考:https://identityserver4.readthedocs.io/en/dev/

IdentityServer4源码:https://github.com/IdentityServer

如果在.NET中开发OAuth2的项目可使用OWIN,可参考实例源码:https://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

 

实现ResourceOwnerPassword和client credentials模式:

授权服务器:

Program.cs --> Main方法中:需要调用UseUrls设置IdentityServer4授权服务的IP地址

1       var host = new WebHostBuilder()2         .UseKestrel()3         //IdentityServer4的使用需要配置UseUrls4         .UseUrls("http://localhost:4537")5         .UseContentRoot(Directory.GetCurrentDirectory())6         .UseIISIntegration()7         .UseStartup<Startup>()8         .Build();

 Startup.cs -->ConfigureServices方法中:

 1       //RSA:证书长度2048以上,否则抛异常 2       //配置AccessToken的加密证书 3       var rsa = new RSACryptoServiceProvider(); 4       //从配置文件获取加密证书 5       rsa.ImportCspBlob(Convert.FromBase64String(Configuration["SigningCredential"])); 6       //IdentityServer4授权服务配置 7       services.AddIdentityServer() 8         .AddSigningCredential(new RsaSecurityKey(rsa))  //设置加密证书 9         //.AddTemporarySigningCredential()  //测试的时候可使用临时的证书10         .AddInMemoryScopes(OAuth2Config.GetScopes())11         .AddInMemoryClients(OAuth2Config.GetClients())12         //如果是client credentials模式那么就不需要设置验证User了13         .AddResourceOwnerValidator<MyUserValidator>() //User验证接口14         //.AddInMemoryUsers(OAuth2Config.GetUsers())  //将固定的Users加入到内存中15         ;

Startup.cs --> Configure方法中:

1       //使用IdentityServer4的授权服务2       app.UseIdentityServer();

Client配置

在Startup.cs中通过AddInMemoryClients(OAuth2Config.GetClients())设置到内存中,配置:

 1         new Client 2         { 3           //client_id 4           ClientId = "pwd_client", 5           //AllowedGrantTypes = new string[] { GrantType.ClientCredentials }, //Client Credentials模式 6           AllowedGrantTypes = new string[] { GrantType.ResourceOwnerPassword },  //Resource Owner Password模式 7           //client_secret 8           ClientSecrets = 9           {10             new Secret("pwd_secret".Sha256())11           },12           //scope13           AllowedScopes =14           {15             "api1",16             //如果想带有RefreshToken,那么必须设置:StandardScopes.OfflineAccess17             //如果是Client Credentials模式不支持RefreshToken的,就不需要设置OfflineAccess18             StandardScopes.OfflineAccess.Name,19           },20           //AccessTokenLifetime = 3600, //AccessToken的过期时间, in seconds (defaults to 3600 seconds / 1 hour)21           //AbsoluteRefreshTokenLifetime = 60, //RefreshToken的最大过期时间,in seconds. Defaults to 2592000 seconds / 30 day22           //RefreshTokenUsage = TokenUsage.OneTimeOnly,  //默认状态,RefreshToken只能使用一次,使用一次之后旧的就不能使用了,只能使用新的RefreshToken23           //RefreshTokenUsage = TokenUsage.ReUse,  //可重复使用RefreshToken,RefreshToken,当然过期了就不能使用了24         }

Scope设置

在Startup.cs中通过AddInMemoryScopes(OAuth2Config.GetScopes())设置到内存中,配置:

 1     public static IEnumerable<Scope> GetScopes() 2     { 3       return new List<Scope> 4       { 5         new Scope 6         { 7           Name = "api1", 8           Description = "My API", 9         },10         //如果想带有RefreshToken,那么必须设置:StandardScopes.OfflineAccess11         StandardScopes.OfflineAccess,12       };13     }

账号密码验证

Resource Owner Password模式需要对账号密码进行验证(如果是client credentials模式则不需要对账号密码验证了):

方式一:将Users加入到内存中,IdentityServer4从中获取对账号和密码进行验证:

  .AddInMemoryUsers(OAuth2Config.GetUsers())    

方式二(推荐):实现IResourceOwnerPasswordValidator接口进行验证:

  .AddResourceOwnerValidator<MyUserValidator>() 

IResourceOwnerPasswordValidator的实现:

 1   public class MyUserValidator : IResourceOwnerPasswordValidator 2   { 3     public Task ValidateAsync(ResourceOwnerPasswordValidationContext context) 4     { 5       if (context.UserName == "admin" && context.Password == "123") 6       { 7         //验证成功 8         //使用subject可用于在资源服务器区分用户身份等等 9         //获取:资源服务器通过User.Claims.Where(l => l.Type == "sub").FirstOrDefault();获取10         context.Result = new GrantValidationResult(subject: "admin", authenticationMethod: "custom");11       }12       else13       {14         //验证失败15         context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "invalid custom credential");16       }17       return Task.FromResult(0);18     }19   }

设置加密证书

通过AddSigningCredential方法设置RSA的加密证书(注意:默认是使用临时证书的,就是AddTemporarySigningCredential(),无论如何不应该使用临时证书,因为每次重启授权服务,就会重新生成新的临时证书),RSA加密证书长度要2048以上,否则服务运行会抛异常

Startup.cs -->ConfigureServices方法中的配置:

1       //RSA:证书长度2048以上,否则抛异常2       //配置AccessToken的加密证书3       var rsa = new RSACryptoServiceProvider();4       //从配置文件获取加密证书5       rsa.ImportCspBlob(Convert.FromBase64String(Configuration["SigningCredential"]));6       services.AddIdentityServer()7         .AddSigningCredential(new RsaSecurityKey(rsa))  //设置加密证书

如何生成RSA加密证书(将生成的PrivateKey配置到IdentityServer4中,可以设置到配置文件中):

1       using (RSACryptoServiceProvider provider = new RSACryptoServiceProvider(2048))2       {3         //Console.WriteLine(Convert.ToBase64String(provider.ExportCspBlob(false)));  //PublicKey4         Console.WriteLine(Convert.ToBase64String(provider.ExportCspBlob(true)));  //PrivateKey5       }

 

资源服务器

Program.cs -> Main方法中:

1       var host = new WebHostBuilder()2         .UseKestrel()3         //IdentityServer4的使用需要配置UseUrls4         .UseUrls("http://localhost:4823")5         .UseContentRoot(Directory.GetCurrentDirectory())6         .UseIISIntegration()7         .UseStartup<Startup>()8         .Build();

Startup.cs --> Configure方法中的配置:

      //使用IdentityServer4的资源服务并配置      app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions      {        Authority = "http://localhost:4537/",        ScopeName = "api1",        SaveToken = true,        AdditionalScopes = new string[] { "offline_access" }, //添加额外的scope,offline_access为Refresh Token的获取Scope        RequireHttpsMetadata = false,      });

需要进行授权验证的资源接口(控制器或方法)上设置AuthorizeAttribute:

1   [Authorize]2   [Route("api/[controller]")]3   public class ValuesController : Controller

 

测试

resource owner password模式测试代码:

 1     public static void TestResourceOwnerPassword() 2     { 3       var client = new HttpClientHepler("http://localhost:4537/connect/token"); 4       string accessToken = null, refreshToken = null; 5       //获取AccessToken 6       client.PostAsync(null, 7         "grant_type=" + "password" + 8         "&username=" + "admin" + 9         "&password=" + "123" +10         "&client_id=" + "pwd_client" +11         "&client_secret=" + "pwd_secret" +12         "&scope=" + "api1 offline_access", //scope需要用空格隔开,offline_access为获取RefreshToken13         hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"),14         rtnVal => 15         {16           var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal);17           accessToken = jsonVal.access_token;18           refreshToken = jsonVal.refresh_token;19         },20         fault => Console.WriteLine(fault),21         ex => Console.WriteLine(ex)).Wait();22 23       if (!string.IsNullOrEmpty(refreshToken))24       {25         //使用RefreshToken获取新的AccessToken26         client.PostAsync(null,27           "grant_type=" + "refresh_token" +28           "&client_id=" + "pwd_client" +29           "&client_secret=" + "pwd_secret" +30           "&refresh_token=" + refreshToken,31           hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"),32           rtnVal => Console.WriteLine("refresh之后的结果: \r\n" + rtnVal),33           fault => Console.WriteLine(fault),34           ex => Console.WriteLine(ex)).Wait();35       }36 37       if (!string.IsNullOrEmpty(accessToken))38       {39         //访问资源服务40         client.Url = "http://localhost:4823/api/values";41         client.GetAsync(null,42             hd => hd.Add("Authorization", "Bearer " + accessToken),43             rtnVal => Console.WriteLine("\r\n访问资源服: \r\n" + rtnVal),44             fault => Console.WriteLine(fault),45             ex => Console.WriteLine(ex)).Wait(); 46       }47     }

client credentials模式测试代码:

 1     public static void TestClientCredentials() 2     { 3       var client = new HttpClientHepler("http://localhost:4537/connect/token"); 4       string accessToken = null; 5       //获取AccessToken 6       client.PostAsync(null, 7         "grant_type=" + "client_credentials" + 8         "&client_id=" + "credt_client" + 9         "&client_secret=" + "credt_secret" +10         "&scope=" + "api1", //不要加上offline_access,因为Client Credentials模式不支持RefreshToken的,不然会授权失败11         hd => hd.ContentType = new MediaTypeHeaderValue("application/x-www-form-urlencoded"),12         rtnVal =>13         {14           var jsonVal = JsonConvert.DeserializeObject<dynamic>(rtnVal);15           accessToken = jsonVal.access_token;16         },17         fault => Console.WriteLine(fault),18         ex => Console.WriteLine(ex)).Wait();19 20       if (!string.IsNullOrEmpty(accessToken))21       {22         //访问资源服务23         client.Url = "http://localhost:4823/api/values";24         client.GetAsync(null,25             hd => hd.Add("Authorization", "Bearer " + accessToken),26             rtnVal => Console.WriteLine("访问资源服: \r\n" + rtnVal),27             fault => Console.WriteLine(fault),28             ex => Console.WriteLine(ex)).Wait();29       }30     }

 

注意

1.RefreshToken是存储在内存中的,不像AccessToken通过授权服务器设置的加密证书进行加密的,而是生成一个唯一码存储在授权服务的内存中的,因此授权服务器重启了那么这些RefreshToken就消失了;

2.资源服务器在第一次解析AccessToken的时候会先到授权服务器获取配置数据(例如会访问:http://localhost:4537/.well-known/openid-configuration 获取配置的,http://localhost:4537/.well-known/openid-configuration/jwks 获取jwks)),之后解析AccessToken都会使用第一次获取到的配置数据,因此如果授权服务的配置更改了(加密证书等等修改了),那么应该重启资源服务器使之重新获取新的配置数据;

3.调试IdentityServer4框架的时候应该配置好ILogger,因为授权过程中的访问(例如授权失败等等)信息都会调用ILogger进行日志记录,可使用NLog,例如:

  在Startup.cs --> Configure方法中配置:loggerFactory.AddNLog();//添加NLog

 

源码:http://files.cnblogs.com/files/skig/OAuth2CredentialsAndPassword.zip