• .net core使用Ocelot+Identity Server统一网关验证


    源码下载地址:下载

    项目结构如下图:

    在Identity Server授权中,实现IResourceOwnerPasswordValidator接口:

    public class IdentityValidator : IResourceOwnerPasswordValidator
        {
            private readonly UserManager<ApplicationUser> _userManager;
            private readonly IHttpContextAccessor _httpContextAccessor;
            public IdentityValidator(
                UserManager<ApplicationUser> userManager,
                IHttpContextAccessor httpContextAccessor)
            {
                _userManager = userManager;
                _httpContextAccessor = httpContextAccessor;
            }
    
            public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
            {
                string userName = context.UserName;
                string password = context.Password;            
    
                var user = await _userManager.FindByNameAsync(userName);
                if (user == null)
                {
                    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "用户不存在!");                
                    return;
                }
    
                var checkResult = await _userManager.CheckPasswordAsync(user, password);
                if (checkResult)
                {
                    context.Result = new GrantValidationResult(
                             subject: user.Id,
                             authenticationMethod: "custom",
                             claims: _httpContextAccessor.HttpContext.User.Claims);
                }
                else
                {
                    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "无效的客户身份!");
                }
            }
        }

    单页面应用中,使用implicit的授权模式,需添加oidc-client.js,调用API的关键代码:

    var config = {
        authority: "http://localhost:5000/",
        client_id: "JsClient",
        redirect_uri: "http://localhost:5500/callback.html",
        response_type: "id_token token",
        scope:"openid profile UserApi",
        post_logout_redirect_uri: "http://localhost:5500/index.html",
    };
    var mgr = new Oidc.UserManager(config);
    
    mgr.getUser().then(function (user) {
        if (user) {
            log("User logged in", user.profile);
        }
        else {
            log("User not logged in");
        }
    });
    
    function login() {
        mgr.signinRedirect();
    }
    
    //api调用之前需登录
    function api() {
        mgr.getUser().then(function (user) {
            if (user == null || user == undefined) {
                login();
            }
            var url = "http://localhost:9000/api/Values";
    
            var xhr = new XMLHttpRequest();
            xhr.open("GET", url);
            xhr.onload = function () {
                log(xhr.status, JSON.parse(xhr.responseText));
                alert(xhr.responseText);
            }
            xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
            xhr.setRequestHeader("sub", user.profile.sub);//这里拿到的是用户ID,传给API端进行角色权限验证
            xhr.send();
        });
    }
    
    function logout() {
        mgr.signoutRedirect();
    }

    统一网关通过Ocelot实现,添加Ocelot.json文件,并修改Program.cs文件:

            public static IWebHost BuildWebHost(string[] args) =>
                WebHost.CreateDefaultBuilder(args)
                    .ConfigureAppConfiguration((hostingContext, builder) => {
                        builder
                        .SetBasePath(hostingContext.HostingEnvironment.ContentRootPath)
                        .AddJsonFile("Ocelot.json");
                    })
                    .UseUrls("http://+:9000")
                    .UseStartup<Startup>()
                    .Build();

    StartUp.cs文件修改如下:

            public void ConfigureServices(IServiceCollection services)
            {
                services.AddOcelot();
    
                var authenticationProviderKey = "qka_api";
                services.AddAuthentication("Bearer")
                    .AddIdentityServerAuthentication(authenticationProviderKey, options =>
                    {
                        options.Authority = "http://localhost:5000";
                        options.RequireHttpsMetadata = false;
                        options.ApiName = "UserApi";
                    });
    
                services.AddCors(options =>
                {
                    options.AddPolicy("default", policy =>
                    {
                        policy.AllowAnyOrigin()
                                .AllowAnyMethod()
                                .AllowAnyHeader()
                                .AllowCredentials();
                    });
                });
            }
    
            public void Configure(IApplicationBuilder app, IHostingEnvironment env)
            {
                app.UseCors("default");
                app.UseOcelot().Wait();
            }

    Ocelot.js配置文件如下:

    {
      "ReRoutes": [
        {
          "DownstreamPathTemplate": "/{url}",
          "DownstreamScheme": "http",
          "ServiceName": "userapi", //consul中的userapi的service名称
          "LoadBalancer": "RoundRobin", //负载均衡算法
          "UseServiceDiscovery": true, //启用服务发现
          "UpstreamPathTemplate": "/{url}",
          "UpstreamHttpMethod": [ "GET", "POST", "DELETE", "PUT" ],
          "AuthenticationOptions": {
            "AuthenticationProviderKey": "qka_api",
            "AllowedScopes": []
          }
        },
        {
          "DownstreamPathTemplate": "/{url}",
          "DownstreamScheme": "http",
          "ServiceName": "identityserverapi", //consul中的userapi的service名称
          "LoadBalancer": "RoundRobin", //负载均衡算法
          "UseServiceDiscovery": true, //启用服务发现
          "UpstreamPathTemplate": "/{url}",
          "UpstreamHttpMethod": [ "GET", "POST", "DELETE", "PUT" ],
        }
      ],
      "GlobalConfiguration": {
        "BaseUrl": "http://localhost:9000",
        "ServiceDiscoveryProvider": {
          "Host": "192.168.2.144",//consul的地址
          "Port": 8500//consul的端口
        }
      }
    }

    asp.net core自带的基于角色授权需要像下图那样写死角色的名称,当角色权限发生变化时,需要修改并重新发布站点,很不方便。

    所以我自定义了一个filter,实现角色授权验证:

    public class UserPermissionFilterAttribute : ActionFilterAttribute
        {
            public override void OnActionExecuting(ActionExecutingContext context)
            {
                if (context.Filters.Any(item => item is IAllowAnonymousFilter))
                {
                    return;
                }
                if (!(context.ActionDescriptor is ControllerActionDescriptor))
                {
                    return;
                }
    
                var attributeList = new List<object>();
                attributeList.AddRange((context.ActionDescriptor as ControllerActionDescriptor).MethodInfo.GetCustomAttributes(true));
                attributeList.AddRange((context.ActionDescriptor as ControllerActionDescriptor).MethodInfo.DeclaringType.GetCustomAttributes(true));
    
                var authorizeAttributes = attributeList.OfType<UserPermissionFilterAttribute>().ToList();
                if (!authorizeAttributes.Any())
                {
                    return;
                }
    
                var sub = context.HttpContext.Request.Headers["sub"];
                string path = context.HttpContext.Request.Path.Value.ToLower();
                string httpMethod = context.HttpContext.Request.Method.ToLower();
    
                /*todo:
                从数据库中根据role获取权限是否具有访问当前path和method的权限,
                因调用频繁,
                可考虑将角色权限缓存到redis中*/
                bool isAuthorized = true;
                if (!isAuthorized)
                {
                    context.Result = new UnauthorizedResult();
                    return;
                }
            }
        }

    在需要授权的Action或Controller上加上该特性即可。

  • 相关阅读:
    SD卡镜像系列文件(uImage、zImage、dtb、rbf、uboot、preloader)如何更新到SD卡
    printk()打印的信息没办法在终端显示,那怎么调试驱动呢?
    【动态规划】ybt1301 大盗阿福
    【广度优先搜索】ybt1250 The Castle
    【数论/递归】P1017 进制转换
    【深度优先搜索/字符串】P1019 单词接龙
    4-18整理
    【数据结构】用结构体实现并查集
    【数据结构】图论基础整理
    【数据结构】二叉树基本内容整理(一)
  • 原文地址:https://www.cnblogs.com/focus-lei/p/9035062.html
Copyright © 2020-2023  润新知