上一篇已经构建好了例子,接下来将IdentityServer4添加到Ocelot中去实现
配置一个客户端配置,可以构建一个简单的客户端信息,这里我用的混合模式,配置比较多,对于客户端模式而言实际很多都不需要设置
只需要构如下即可
ClientId="liyouming", ClientName="ChinaNetCore", ClientSecrets={new Secret("liyouming".Sha256()) }, AllowedGrantTypes= GrantTypes.ClientCredentials, AccessTokenType= AccessTokenType.Jwt, AllowedScopes={ "openid", "profile", "UserServicesApi" }
对于Ocelot而言你只需要在之前的配置中添加AuthenticationOptions节点参数配置
{ "ReRoutes": [ { "DownstreamPathTemplate": "/api/values/getuser", "DownstreamScheme": "http", "DownstreamHostAndPorts": [ { "Host": "localhost", "Port": 20001 }, { "Host": "localhost", "Port": 20001 } ], "UpstreamPathTemplate": "/test", "UpstreamHttpMethod": [ "Get" ], "LoadBalancer": "LeastConnection", "ServiceName": "userservices", "UseServiceDiscovery": true, "AuthenticationOptions": { "AuthenticationProviderKey": "usergateway", "AllowScopes": [ "UserServicesApi" ] } } ], "GlobalConfiguration": { "BaseUrl": "http://localhost:20000", "ServiceDiscoveryProvider": { "Host": "localhost", "Port": 8500 } } }
"AuthenticationOptions": { "AuthenticationProviderKey": "usergateway", "AllowScopes": [ "UserServicesApi" ] }
AuthenticationProviderKey 其实就是授权的authenticationscheme
allscopes 就是 apiresource中配置的授权访问范围,这里配置的即 ApiName
同时还需要在网关添加授权验证服务,配置好授权地址 ApiName(scope),以及对renefrence or jwt or both 和 secret 如果没有使用https 需要设置RequireHttpsMetadata =false
services.AddAuthentication() .AddIdentityServerAuthentication("usergateway", options => { options.Authority = "http://localhost:30000"; options.ApiName = "UserServicesApi"; options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Both; options.ApiSecret = "liyouming"; options.RequireHttpsMetadata = false; });
使用PostMan 来测试下功能
不清楚获取Token地址可以访问配置文件查看
http://localhost:30000/.well-known/openid-configuration
{ "issuer": "http://localhost:30000", "jwks_uri": "http://localhost:30000/.well-known/openid-configuration/jwks", "authorization_endpoint": "http://localhost:30000/connect/authorize", "token_endpoint": "http://localhost:30000/connect/token", "userinfo_endpoint": "http://localhost:30000/connect/userinfo", "end_session_endpoint": "http://localhost:30000/connect/endsession", "check_session_iframe": "http://localhost:30000/connect/checksession", "revocation_endpoint": "http://localhost:30000/connect/revocation", "introspection_endpoint": "http://localhost:30000/connect/introspect", "frontchannel_logout_supported": true, "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "scopes_supported": ["openid", "profile", "UserServicesApi", "offline_access"], "claims_supported": [], "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token", "implicit"], "response_types_supported": ["code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token"], "response_modes_supported": ["form_post", "query", "fragment"], "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"], "subject_types_supported": ["public"], "id_token_signing_alg_values_supported": ["RS256"], "code_challenge_methods_supported": ["plain", "S256"] }
1、通过 http://localhost:30000/connect/token获取token
客户端模式需要四个参数
client_id
client_secret
grant_type
scope
直接访问test提示401没授权
这里拿到了 access_token,接下来通过access_token访问GateWay中的test
