使用Identity Server 4时,如何使用authorization_code流程使用JWT令牌向Identity Server提供客户端凭据时,如何挂接客户端和服务器之间的交换?
以下是解决方案:在ConfigureServices中,是挂钩到Identity Server管道并为OnAuthorizationCodeReceived事件提供回调的关键 . 在管道中调用此事件,在客户端和服务器之间的正常交换期间从身份服务器接收授权代码,如https://www.ietf.org/rfc/rfc6750.txt所述 . 这样做可以让您有机会创建JWT令牌并使其从管道中的该点开始可用 .
Configuration on the client
services.AddAuthentication(options =>
...
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(10);
options.UseTokenLifetime = false;
options.RequireHttpsMetadata = false;
options.Authority = "http://localhost:44320/";
options.ClientId = "cliend-id";
options.ClientSecret = "client-secret";
options.ResponseType = "code";
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.Events.OnAuthorizationCodeReceived = delegate (AuthorizationCodeReceivedContext context)
{
var clientassertion = new ClientAssertion("client-id", "http://localhost:44320/connect/token");
var assertion = clientassertion.CreateJwtClientAssertionAsymmetric("localhost");
context.TokenEndpointRequest.ClientAssertion = assertion.ClientAssertion;
context.TokenEndpointRequest.ClientAssertionType = assertion.ClientAssertionType;
return Task.CompletedTask;
};
...
服务器上的配置如http://docs.identityserver.io/en/release/topics/secrets.html?highlight=beyond指示超出共享机密的部分 . 这里重要的一点是确保类型和值对齐,如下例所示 .
var client = new Client
{
...
ClientSecrets =
{
new Secret
{
Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
Value = "MIIDATCC..."
}
},
AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
AllowedScopes = { "api1", "api2" }
};
履行
实现接口ISecretParser和ISecretValidator然后将实现添加到ConfigureServices中的DI系统 .
例如 . builder.AddSecretParser()builder.AddSecretValidator()
如果未调用Validator,请确保将RequireClientSecret设置为true . 在解析器和验证器中执行适当的操作(从解析返回成功失败) .
这种方法适用于private_key_jwt和client_secret_jwt .