OAuth 2.0 默认四种授权模式(GrantType):
授权码模式(
authorization_code
)简化模式(
implicit
)密码模式(
password
)客户端模式(
client_credentials
)
使用 IdentityServer4,我们可以自定义授权模式吗?答案是可以的,比如我们自定义实现一个anonymous
授权模式(匿名访问)。
创建AnonymousGrantValidator
(继承IExtensionGrantValidator
):
public class AnonymousGrantValidator : IExtensionGrantValidator{
private readonly ITokenValidator _validator;
public AnonymousGrantValidator(ITokenValidator validator) {_validator = validator;}
public string GrantType => "anonymous";
public async Task ValidateAsync(ExtensionGrantValidationContext context) { //var userToken = context.Request.Raw.Get("token");//if (string.IsNullOrEmpty(userToken))//{// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);// return;//}//var result = await _validator.ValidateAccessTokenAsync(userToken);//if (result.IsError)//{// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);// return;//}// get user's identity//var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value;var claims = new List<Claim>() { new Claim("role", GrantType) }; // Claim 用于配置服务站点 [Authorize("anonymous")]context.Result = new GrantValidationResult(GrantType, GrantType, claims);}
}
修改Client
配置:
new Client
{ClientId = "client1",AllowedGrantTypes = GrantTypes.List(GrantTypes.ResourceOwnerPassword.FirstOrDefault(), "anonymous"), //一个 Client 可以配置多个 GrantTypeAllowOfflineAccess = true,AccessTokenLifetime = 3600 * 6, //6小时SlidingRefreshTokenLifetime = 1296000, //15天ClientSecrets ={ new Secret("123".Sha256())},AllowedScopes = new List<string>{ "api2"}
}
DI 增加注入对象:
builder.AddExtensionGrantValidator<AnonymousGrantValidator>();
调用示例代码:
public async Task<TokenResponse> AnonymousAsync(string userToken){ var payload = new{token = userToken}; // create token clientvar client = new TokenClient(disco.TokenEndpoint, "client1", "123"); // send custom grant to token endpoint, return responsereturn await client.RequestCustomGrantAsync("anonymous", "api2", payload);
}
Http 访问示例:
POST /connect/tokengrant_type=anonymous&
scope=api2&
token=...&
client_id=api1.client
client_secret=secret
参考资料:
Extension Grants
相关文章:
IdentityServer4(OAuth2.0服务)折腾笔记
IdentityServer4 实现 OpenID Connect 和 OAuth 2.0
IdentityServer4 使用OpenID Connect添加用户身份验证
IdentityServer4 ASP.NET Core的OpenID Connect OAuth 2.0框架学习保护API
IdentityServer4 指定角色授权(Authorize(Roles="admin"))
IdentityServer4 SigningCredential(RSA 证书加密)
原文地址:http://www.cnblogs.com/xishuai/p/identityserver4-implement-custom-granttype.html
.NET社区新闻,深度好文,微信中搜索dotNET跨平台或扫描二维码关注