我试过搜索,但出人意料地找不到我的问题的答案。
我正在设计一个网络应用程序,这将有一个通过角度的前端接口,与多个下游API。如下所示:
[API - A Client] -> [API - A] -> [API - B]
我正在使用IdentityServer4进行身份验证/授权。一些用户会有一个特定的声明,我们称其为"Foo“,当通过SPA客户端与API A交互时,该声明会正确地从身份验证服务器传递到API A(使用隐式流)。
但是,我不能让该声明从API A传递到API B,它正在使用客户端凭据。根据我的阅读/研究,这似乎是正确的行为,因为它的客户端凭据流。
所以我的问题是,我如何将用户声明("Foo")向下传递到第二层API (API-B)?我需要使用不同的流程吗?API-A是否应该手动将其与请求一起传递给API-B?
这是我第一次使用IdentityServer / OpenID connect / OAuth,我对更改持开放态度。
IdentityServer4配置
public class Config
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("API-B", "API B")
{
UserClaims = { "Foo" }
},
new ApiResource("API-A", "API A")
{
ApiSecrets = {new Secret("Secret") },
UserClaims = { "Foo", },
}
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientName = "API-A Client",
ClientId = "API-A_client",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = { "http://localhost:7900/swagger/oauth2-redirect.html" },
PostLogoutRedirectUris = { "http://localhost:7900/" },
RequireConsent = false,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>(){
"API-A",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
},
new Client
{
ClientName = "API-A Backend",
ClientId = "API-A_backend",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = {new Secret("Secret".Sha256()) },
AllowedScopes = new List<string>()
{
"API-B",
"custom_resource",
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
},
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true,
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResource("custom_resource", new [] { "Foo" }),
};
}
}
应用编程接口A身份验证配置
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:6900";
options.ApiName = "API-A";
options.RequireHttpsMetadata = false; // dev only!
});
services.AddTransient<AccessTokenDelegatingHandler>((service) => new AccessTokenDelegatingHandler(tokenEndpoint: $"http://localhost:6900/connect/token", clientId: "API-A", clientSecret: "Secret", scope: "API-B"));
services.AddHttpClient<ApiBHttpClient>(client =>
{
client.BaseAddress = new Uri(Configuration["ApiBUri"]);
client.DefaultRequestHeaders.Add("Accept", "application/json");
})
.AddHttpMessageHandler<AccessTokenDelegatingHandler>();
应用编程接口B身份验证配置
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:6900";
options.ApiName = "API-B"; // required audience of access tokens
options.RequireHttpsMetadata = false; // dev only!
options.ApiSecret = "Secret";
});
上面的结果是API-A通过IdentityClaims正确地访问了"Foo“,而API-B却没有(尽管调用成功了)。
如有任何帮助,我们不胜感激!
发布于 2018-09-11 08:24:28
最后找到了这个GitHub页面,问了同样的问题:https://github.com/IdentityServer/IdentityServer4/issues/1679
这就引出了,关于扩展授权,http://docs.identityserver.io/en/release/topics/extension_grants.html,这是我的确切场景。
https://stackoverflow.com/questions/52252346
复制相似问题