一次曲折的单点集成之旅

原有的系统是mvc 4.6的，要加一个简单的单点系统。经简单比较好，决定选用ids3做service。
集成的方法直接看官方的示例即可：https://github.com/IdentityServer/IdentityServer3.Samples

改造涉及到的要点有：

• 使用授权码+PCKE码校验 (有点坑)
• 本地已有用户密码验证
• 定制登录页面，欢迎页面
• nginx反向代理的坑

第1点搜一下，还是能找到资料的。
第2，3点直接看示例代码即可。
第4点真的是一言难尽，以下是详细的跳坑经历。

由于后台服务是部署在IIS上，再通过nginx通过反向代理，配置https证书。
一开始我以为是没办法通过https代理https，所以只是在nignx的启用https。
但这里会有一个很矛盾的地方，整体的站点是https的，但IIS里没有启动用https，直接启用RequireSsl = true会报错。
但如果不设置ssl启用，则客户端登录访问的授权点与验证点不一致，直接报404错误。
嗯……头大。

解决办法：
iis配置好https，使用相同的域名，如果是相同服务器，则使用不同的端口，如1443。
nginx配置https，使用upstream的方式进行反向代理，而不是直接反向代理至服务器端口。
配置如下：
`
upstream portal_server {
server 127.0.0.1:1443;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name xxx.lennon.cn;

# SSL
ssl_certificate        D:/nginx/conf/xxx.lennon.cn.pem;
ssl_certificate_key  D:/nginx/conf/xxx.lennon.cn.key;
include default/ssl.conf;

location / {
    proxy_pass https://test1_server;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme; #实际的协议 http还 https
    proxy_next_upstream error timeout http_404 http_403;
}
# index.php
index index.html index.htm index.php;

}
`

带pcke的授权码验证方式：
`
using System;
using System.Collections.Generic;
using IdentityModel.Client;
using Microsoft.Owin.Security;
using Owin;
using Qianchen.Application.Organization;
using System.Configuration;
using System.Linq;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Web.Helpers;
using IdentityModel;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.Notifications;
using Microsoft.Owin.Security.OpenIdConnect;
using System.Security.Claims;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;

namespace Lennon.Application.Auth
{
public static class LennonAuthExtension
{
private static string OIDC_ClientId = ConfigurationManager.AppSettings["oidc:ClientId"];
private static string OIDC_ClientSecret = ConfigurationManager.AppSettings["oidc:ClientSecret"];
private static string OIDC_Authority = ConfigurationManager.AppSettings["oidc:Authority"];
private static string OIDC_RedirectUri = ConfigurationManager.AppSettings["oidc:RedirectUri"];
private static string OIDC_PostLogoutRedirectUri = ConfigurationManager.AppSettings["oidc:PostLogoutRedirectUri"];
private static string OIDC_ResponseType = ConfigurationManager.AppSettings["oidc:ResponseType"];
private static string OIDC_RequireHttpsMeta = ConfigurationManager.AppSettings["oidc:RequireHttpsMeta"];
private static string OIDC_Scope = ConfigurationManager.AppSettings["oidc:Scope"];

    private static string OIDC_RequestTokenUrl = ConfigurationManager.AppSettings["oidc:Authority"] + "/connect/token";
    private static string OIDC_RequestUserinfoUrl = ConfigurationManager.AppSettings["oidc:Authority"] + "/connect/userinfo";
    private static string APPID = ConfigurationManager.AppSettings["APPID"];
    private static IdentityUserBLL identity = new IdentityUserBLL();
    private static UserIBLL userBLL = new UserBLL();

    /// <summary>
    /// 用于保存数据
    /// 只能读取一次，读取即删除
    /// </summary>
    private static Dictionary<string, string> UserAuthenticationDic = new Dictionary<string, string>();
    /// <summary>
    /// 只能读取一次，读取即删除
    /// </summary>
    /// <param name="key"></param>
    /// <returns></returns>
    private static string GetAuthenticationValue(string key)
    {
        if (UserAuthenticationDic.ContainsKey(key))
        {
            var val = UserAuthenticationDic[key];
            UserAuthenticationDic.Remove(key);
            return val;
        }
        else
        {
            return null;
        }
    }

    /// <summary>
    /// 保存登录过程中的key
    /// </summary>
    /// <param name="key"></param>
    /// <param name="value"></param>
    private static void SetAuthenticationValue(string key, string value)
    {
        if (UserAuthenticationDic.ContainsKey(key))
        {
            UserAuthenticationDic.Remove(key);
        }
        UserAuthenticationDic.Add(key, value);
    }
    private static void RememberCodeVerifier(RedirectToIdentityProviderNotification<OpenIdConnectMessage, OpenIdConnectAuthenticationOptions> n, string codeVerifier)
    {
        var properties = new AuthenticationProperties();
        properties.Dictionary.Add("cv", codeVerifier);

        string key = GetCodeVerifierKey(n.ProtocolMessage.State);
        string value = Convert.ToBase64String(Encoding.UTF8.GetBytes(n.Options.StateDataFormat.Protect(properties)));
        SetAuthenticationValue(key, value);

        n.Options.CookieManager.AppendResponseCookie(
            n.OwinContext,
            key,
            value,
            new CookieOptions
            {
                //SameSite = SameSiteMode.None,
                HttpOnly = true,
                Secure = n.Request.IsSecure,
                Expires = DateTime.UtcNow + n.Options.ProtocolValidator.NonceLifetime
            });
    }

    private static string RetrieveCodeVerifier(AuthorizationCodeReceivedNotification n)
    {
        string key = GetCodeVerifierKey(n.ProtocolMessage.State);
        string codeVerifier = GetAuthenticationValue(key);

        string codeVerifierCookie = n.Options.CookieManager.GetRequestCookie(n.OwinContext, key);
        if (codeVerifierCookie != null)
        {
            var cookieOptions = new CookieOptions
            {
                //SameSite = SameSiteMode.None,
                HttpOnly = true,
                Secure = n.Request.IsSecure
            };

            n.Options.CookieManager.DeleteCookie(n.OwinContext, key, cookieOptions);

            var cookieProperties = n.Options.StateDataFormat.Unprotect(Encoding.UTF8.GetString(Convert.FromBase64String(codeVerifierCookie)));
            cookieProperties.Dictionary.TryGetValue("cv", out codeVerifier);
        }

        return codeVerifier;
    }
    private static string GetCodeVerifierKey(string state)
    {
        using (var hash = SHA256.Create())
        {
            return OpenIdConnectAuthenticationDefaults.CookiePrefix + "cv." + Convert.ToBase64String(hash.ComputeHash(Encoding.UTF8.GetBytes(state)));
        }
    }


    public static void UseGMDIAuthentication(this IAppBuilder app)
    {
        AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";

        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = "Cookies",
        });

        //默认不需要Https
        bool requireHttpMeta;
        if (!bool.TryParse(OIDC_RequireHttpsMeta, out requireHttpMeta))
        {
            requireHttpMeta = false;
        }

        app.UseOpenIdConnectAuthentication(new Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions
        {
            SignInAsAuthenticationType = Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationDefaults.AuthenticationType,
            Authority = OIDC_Authority, // 建议通过配置文件读取            
            ClientId = OIDC_ClientId, // 向单点登录服务注册时分配的客户端 Id
            ClientSecret = OIDC_ClientSecret,
            RedirectUri = OIDC_RedirectUri, // 回调地址
            PostLogoutRedirectUri = OIDC_PostLogoutRedirectUri,
            ResponseType = OIDC_ResponseType,
            Scope = OIDC_Scope, // 根据实际要请求的资源服务API设置，如果不需要请求其它资源服务API则保持不变
            RequireHttpsMetadata = requireHttpMeta,
            UsePkce = true,
            UseTokenLifetime = false,
            //RedeemCode = true,
            //SaveTokens = true,
            Notifications = new Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = async n =>
                {
                    if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Authentication)
                    {
                        // generate code verifier and code challenge
                        var codeVerifier = CryptoRandom.CreateUniqueId(32);

                        string codeChallenge;
                        using (var sha256 = SHA256.Create())
                        {
                            var challengeBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(codeVerifier));
                            codeChallenge = Base64Url.Encode(challengeBytes);
                        }

                        // set code_challenge parameter on authorization request
                        n.ProtocolMessage.SetParameter("code_challenge", codeChallenge);
                        n.ProtocolMessage.SetParameter("code_challenge_method", "S256");
                        RememberCodeVerifier(n, codeVerifier);
                    }
                },
                AuthorizationCodeReceived = async context =>
                {

                    var client = new HttpClient();
                    //var disco = await client.GetDiscoveryDocumentAsync(OIDC_Authority);
                    //if (disco.IsError)
                    //    throw new Exception(disco.Error);

                    var codeVerifier = RetrieveCodeVerifier(context);

                    // attach code_verifier on token request
                    //context.TokenEndpointRequest.SetParameter("code_verifier", codeVerifier);

                    var req = new AuthorizationCodeTokenRequest
                    {
                        Address = OIDC_RequestTokenUrl,//disco.TokenEndpoint
                        ClientId = OIDC_ClientId,
                        ClientSecret = OIDC_ClientSecret,
                        Code = context.Code,
                        RedirectUri = OIDC_RedirectUri,
                        // optional PKCE parameter
                        CodeVerifier = codeVerifier
                    };
                    var tokenResponse = await client.RequestAuthorizationCodeTokenAsync(req);
                    if (tokenResponse != null && !tokenResponse.IsError)
                    {
                        var userreq = new UserInfoRequest
                        {
                            Address = OIDC_RequestUserinfoUrl,//disco.UserInfoEndpoint
                            Token = tokenResponse.AccessToken
                        };

                        var userInfoResponse = await client.GetUserInfoAsync(userreq);

                        if (userInfoResponse.IsError)
                            throw new Exception(userInfoResponse.Error);

                        // create a new identity using the claims from the user info endpoint (including tokens)
                        var claims = userInfoResponse.Claims;


                        var account = claims.FirstOrDefault(x => x.Type == "preferred_username");
                        if (account != null)
                        {
                            var loginAccount = account.Value;

                        }

                        var authuser = GetAuthUser(claims);

                        //先检查是否存在，再保存
                        SaveUser(authuser);
                        //然后模拟登录
                        AutoLogin(authuser);

                        #region 使用页面也登录
                        var id = new ClaimsIdentity(OIDC_ResponseType);
                        id.AddClaims(userInfoResponse.Claims);
                        id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                        id.AddClaim(new Claim("id_token", tokenResponse.IdentityToken));
                        //id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                        id.AddClaim(new Claim("email", authuser.email));
                        id.AddClaim(new Claim("preferred_username", authuser.preferredusername));
                        id.AddClaim(new Claim("sub", authuser.preferredusername));
                        id.AddClaim(new Claim("name", authuser.name));
                        context.AuthenticationTicket = new AuthenticationTicket(new ClaimsIdentity(id.Claims, AuthenticationTypes.Password, "name", "role"),
                            new AuthenticationProperties { IsPersistent = true }); 
                        #endregion
                    }
                },
            }
        });
    }
    private static void AutoLoginQC(AuthUserQCModel authUser)
    {
        if (authUser == null) return;
        //本地模拟登录
    }
    private static void AutoLogin(AuthUserModel authUser)
    {
        if (authUser == null) return;

        OperatorHelper.Instance.AddLoginUser(authUser.sub, APPID, null);
        var userInfo = new UserInfo();
        var loginAccount = authUser.name;
        identity.IdentityLogin(ref userInfo, ref loginAccount);
    }

    public static void SaveUser(AuthUserModel authUser)
    {
    }
    public static AuthUserModel GetAuthUser(IEnumerable<Claim> claims)
    {
        AuthUserModel user = null;
        if (claims != null)
        {
            user = new AuthUserModel();
            user.sub = getClaimsValue(claims, "sub");
            user.name = getClaimsValue(claims, "name");
            user.given_name = getClaimsValue(claims, "given_name");
            user.departmentId = getClaimsValue(claims, "departmentId");
            user.departmentName = getClaimsValue(claims, "departmentName");
            user.email = getClaimsValue(claims, "email");
            user.post = getClaimsValue(claims, "post");
            user.rank = getClaimsValue(claims, "rank");
            user.officeType = getClaimsValue(claims, "officeType");
        }

        return user;
    }
    public static AuthUserQCModel GetQCAuthUser(IEnumerable<Claim> claims)
    {
        AuthUserQCModel user = null;
        if (claims != null)
        {
            user = new AuthUserQCModel();
            user.preferredusername = getClaimsValue(claims, "preferred_username");
            user.name = getClaimsValue(claims, "name");
            user.nickname = getClaimsValue(claims, "nickname");
            user.gender = getClaimsValue(claims, "gender");
            user.phonenumber = getClaimsValue(claims, "phonenumber");
            user.email = getClaimsValue(claims, "email");
        }

        return user;
    }
    public static string getClaimsValue(IEnumerable<Claim> claims, string key)
    {
        if (claims != null && !string.IsNullOrEmpty(key))
        {
            var claim = claims.FirstOrDefault(x => x.Type.Equals(key, StringComparison.OrdinalIgnoreCase));
            if (claim != null)
            {
                return claim.Value;
            }
        }

        return "";
    }
}
public class AuthUserQCModel
{
    /// <summary>
    /// sub
    /// </summary>
    public string preferredusername { get; set; }
    /// <summary>
    /// 工号
    /// </summary>
    public string name { get; set; }
    /// <summary>
    /// 姓名
    /// </summary>
    public string nickname { get; set; }
    /// <summary>
    /// 性别
    /// </summary>
    public string gender { get; set; }

    /// <summary>
    /// 邮箱
    /// </summary>
    public string email { get; set; }
    /// <summary>
    /// 职位
    /// </summary>
    public string phonenumber { get; set; }

}

}

`