源码下载地址:下载
项目结构如下图:
在Identity Server授权中,实现IResourceOwnerPasswordValidator接口:
public class IdentityValidator : IResourceOwnerPasswordValidator
{
private readonly UserManager<ApplicationUser> _userManager;
private readonly IHttpContextAccessor _httpContextAccessor;
public IdentityValidator(
UserManager<ApplicationUser> userManager,
IHttpContextAccessor httpContextAccessor)
{
_userManager = userManager;
_httpContextAccessor = httpContextAccessor;
} public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
string userName = context.UserName;
string password = context.Password; var user = await _userManager.FindByNameAsync(userName);
if (user == null)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "用户不存在!");
return;
} var checkResult = await _userManager.CheckPasswordAsync(user, password);
if (checkResult)
{
context.Result = new GrantValidationResult(
subject: user.Id,
authenticationMethod: "custom",
claims: _httpContextAccessor.HttpContext.User.Claims);
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "无效的客户身份!");
}
}
}
单页面应用中,使用implicit的授权模式,需添加oidc-client.js,调用API的关键代码:
var config = {
authority: "http://localhost:5000/",
client_id: "JsClient",
redirect_uri: "http://localhost:5500/callback.html",
response_type: "id_token token",
scope:"openid profile UserApi",
post_logout_redirect_uri: "http://localhost:5500/index.html",
};
var mgr = new Oidc.UserManager(config); mgr.getUser().then(function (user) {
if (user) {
log("User logged in", user.profile);
}
else {
log("User not logged in");
}
}); function login() {
mgr.signinRedirect();
} //api调用之前需登录
function api() {
mgr.getUser().then(function (user) {
if (user == null || user == undefined) {
login();
}
var url = "http://localhost:9000/api/Values"; var xhr = new XMLHttpRequest();
xhr.open("GET", url);
xhr.onload = function () {
log(xhr.status, JSON.parse(xhr.responseText));
alert(xhr.responseText);
}
xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
xhr.setRequestHeader("sub", user.profile.sub);//这里拿到的是用户ID,传给API端进行角色权限验证
xhr.send();
});
} function logout() {
mgr.signoutRedirect();
}
统一网关通过Ocelot实现,添加Ocelot.json文件,并修改Program.cs文件:
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((hostingContext, builder) => {
builder
.SetBasePath(hostingContext.HostingEnvironment.ContentRootPath)
.AddJsonFile("Ocelot.json");
})
.UseUrls("http://+:9000")
.UseStartup<Startup>()
.Build();
StartUp.cs文件修改如下:
public void ConfigureServices(IServiceCollection services)
{
services.AddOcelot(); var authenticationProviderKey = "qka_api";
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(authenticationProviderKey, options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ApiName = "UserApi";
}); services.AddCors(options =>
{
options.AddPolicy("default", policy =>
{
policy.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
} public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseCors("default");
app.UseOcelot().Wait();
}
Ocelot.js配置文件如下:
{
"ReRoutes": [
{
"DownstreamPathTemplate": "/{url}",
"DownstreamScheme": "http",
"ServiceName": "userapi", //consul中的userapi的service名称
"LoadBalancer": "RoundRobin", //负载均衡算法
"UseServiceDiscovery": true, //启用服务发现
"UpstreamPathTemplate": "/{url}",
"UpstreamHttpMethod": [ "GET", "POST", "DELETE", "PUT" ],
"AuthenticationOptions": {
"AuthenticationProviderKey": "qka_api",
"AllowedScopes": []
}
},
{
"DownstreamPathTemplate": "/{url}",
"DownstreamScheme": "http",
"ServiceName": "identityserverapi", //consul中的userapi的service名称
"LoadBalancer": "RoundRobin", //负载均衡算法
"UseServiceDiscovery": true, //启用服务发现
"UpstreamPathTemplate": "/{url}",
"UpstreamHttpMethod": [ "GET", "POST", "DELETE", "PUT" ],
}
],
"GlobalConfiguration": {
"BaseUrl": "http://localhost:9000",
"ServiceDiscoveryProvider": {
"Host": "192.168.2.144",//consul的地址
"Port": 8500//consul的端口
}
}
}
asp.net core自带的基于角色授权需要像下图那样写死角色的名称,当角色权限发生变化时,需要修改并重新发布站点,很不方便。
所以我自定义了一个filter,实现角色授权验证:
public class UserPermissionFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext context)
{
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
}
if (!(context.ActionDescriptor is ControllerActionDescriptor))
{
return;
} var attributeList = new List<object>();
attributeList.AddRange((context.ActionDescriptor as ControllerActionDescriptor).MethodInfo.GetCustomAttributes(true));
attributeList.AddRange((context.ActionDescriptor as ControllerActionDescriptor).MethodInfo.DeclaringType.GetCustomAttributes(true)); var authorizeAttributes = attributeList.OfType<UserPermissionFilterAttribute>().ToList();
if (!authorizeAttributes.Any())
{
return;
} var sub = context.HttpContext.Request.Headers["sub"];
string path = context.HttpContext.Request.Path.Value.ToLower();
string httpMethod = context.HttpContext.Request.Method.ToLower(); /*todo:
从数据库中根据role获取权限是否具有访问当前path和method的权限,
因调用频繁,
可考虑将角色权限缓存到redis中*/
bool isAuthorized = true;
if (!isAuthorized)
{
context.Result = new UnauthorizedResult();
return;
}
}
}
在需要授权的Action或Controller上加上该特性即可。