AllowedScopesin the IdentityServer4 authorization configurationClientsets the specific API site name, which is the ## set by the user. #ApiName, sample code:
//授权中心配置new Client { ClientId = "client_id_1", AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, AllowOfflineAccess = true, AccessTokenLifetime = 3600 * 6, //6小时SlidingRefreshTokenLifetime = 1296000, //15天ClientSecrets = {new Secret("secret".Sha256()) }, AllowedScopes = {"api_name1"}, }//API 服务配置app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions { Authority = $"http://localhost:5000", ApiName = "api_name1", RequireHttpsMetadata = false});
api_name1configurations must be consistent. The problem arises because thescope## of the authorization center #The configuration is the entire API service. If we have multipleClientconfigurations, such as a frontend and a backend, and then both need to accessapi_name1, some problems will occur.For example, an interface service configuration code in the
service:
[Authorize()] [Route("api/values")] [HttpGet]public IActionResult Get() {return Ok(); }
configuration, descriptionapi/valuesThe interface needs to be accessed after authorization. If the authorization center is configured with twoClient(frontend and backend), andscopeboth containapi_name1, now there will be two situations:
and backendClient, both require authorization to accessapi/valuesInterface: No problem.
does not require authorization for access, backgroundClientrequires authorization for access: There is a problem, front deskClientThere is no way to access it because theapi/valuesinterface is set withAuthorize().
to authorize access? For example:[Authorize(ClientId = 'client_id_1')].2. Solution
this solution, but you can use[Authorize(Roles = ' admin')].The
code of the authorization center is modified as follows:
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator {private readonly IUserService _userService;public ResourceOwnerPasswordValidator(IUserService userService) { _userService = userService; }public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context) {var user = await _userService.Login(context.UserName, context.Password);if (user != null) {var claims = new List() { new Claim("role", "admin") }; //根据 user 对象,设置不同的 rolecontext.Result = new GrantValidationResult(user.UserId.ToString(), OidcConstants.AuthenticationMethods.Password, claims); } } }
configuration of the authorization center is modified as follows
var builder = services.AddIdentityServer(); builder.AddTemporarySigningCredential()//.AddInMemoryIdentityResources(Config.GetIdentityResources()).AddInMemoryApiResources(new List{new ApiResource("api_name1", "api1"){ UserClaims = new List {"role"}}, //增加 role claimnew ApiResource("api_name2", "api2"){ UserClaims = new List {"role"}} }) .AddInMemoryClients(Config.GetClients());
[Authorize()] [Route("api/values")] [HttpGet]public IActionResult Get() {return Ok(); } [Authorize(Roles = "admin")] [Route("api/values2")] [HttpGet]public IActionResult Get2() {return Ok(); } [Authorize(Roles = "admin,normal")] [Route("api/values3")] [HttpGet]public IActionResult Get3() {return Ok(); }
interface does not Set specificRoles, but eachRoleis accessible.
The above is the detailed content of IdentityServer4 authorization configuration AllowedScopes instance. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
