IdentityServer4之Resource Owner Password Credentials(资源拥有者密码凭据许可)

<!–
.h2cls {
background: #6fa833 none repeat scroll 0 0 !important;
border-radius: 5px !important;
color: #fff;
font-family: “微软雅黑”,”宋体”,”黑体”,Arial;
margin-bottom: 5px;
padding-left: 15px;
text-shadow: 2px 2px 3px #222;
}
h3 {
background-color: #f5f5f5;
border-left: 13px solid #6fa833;
color: #6fa833;
padding: 5px;
margin: 15px auto 2px;
}
p {
margin: 10px auto;
text-indent: 0;
}
code {
background-color: #f5f5f5 !important;
border: 1px solid #ccc !important;
border-radius: 3px !important;
display: inline-block;
font-family: “Courier New”,sans-serif !important;
font-size: 12px !important;
height: 20px;
line-height: 1.8;
margin: 0 5px;
padding: 0 5px !important;
vertical-align: middle;
}
–>

IdentityServer4之Resource Owner Password Credentials(资源拥有者密码凭据许可)

参考

官方文档：2_resource_owner_passwords

概念：资源拥有者密码凭据许可

认证服务端配置

认证服务ApiResource配置

new ApiResource("api1", "api项目 一")
{
    ApiSecrets = { new Secret("api1pwd".Sha256()) }
},

认证服务Client配置

//resource owner password grant client
new Client
{
    ClientId = "ro.client",
    AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
    AccessTokenType = AccessTokenType.Reference,    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },
    AllowedScopes = { "api1" }
},

认证服务Startup配置

public void ConfigureServices(IServiceCollection services)
{
    // configure identity server with in-memory stores, keys, clients and scopes
    services.AddIdentityServer()
        .AddDeveloperSigningCredential()
        .AddInMemoryApiResources(Config.GetApiResources())
        .AddInMemoryClients(Config.GetClients())
        .AddTestUsers(Config.GetUsers());
}

配置完成启动访问http://localhost:5000/.well-known/openid-configuration

资源服务Api配置

资源服务器Startup配置

services.AddMvcCore()
    .AddAuthorization()
    .AddJsonFormatters();services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = "http://localhost:5000";
        options.RequireHttpsMetadata = false;        options.ApiName = "api1";
        options.ApiSecret = "api1pwd";  //对应ApiResources中的密钥
    });

添加接口

[Route("[controller]")]
[Authorize]
public class IdentityController : ControllerBase
{
    [HttpGet]
    public IActionResult Get()
    {
        var info = from c in User.Claims select new { c.Type, c.Value };
        var list = info.ToList();
        list.Add(new { Type = "api1返回", Value = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") });
        return new JsonResult(list);
    }
}

Client客户端

（A）资源拥有者提供给客户端它的用户名和密码。
（B）通过包含从资源拥有者处接收到的凭据，客户端从授权服务器的令牌端点请求访问令牌。当发起请求时，客户端与授权服务器进行身份验证。
（C）授权服务器对客户端进行身份验证，验证资源拥有者的凭证，如果有效，颁发访问令牌。

//resource owner password grant client
private void btnROAuth_Click(object sender, EventArgs e)
{
    Task<DiscoveryResponse> discoTask = DiscoveryClient.GetAsync(txtROAuthSer.Text);
    discoTask.Wait();
    var disco = discoTask.Result;
    if (disco.IsError)
    {
        MessageBox.Show(disco.Error, "提示信息", MessageBoxButtons.OK, MessageBoxIcon.Information);
        txtROResult.Text = string.Empty;
        txtAccessToken.Text = string.Empty;
        return;
    }    // request token
    var tokenClient = new TokenClient(disco.TokenEndpoint, txtROClient.Text, txtROSecret.Text);
    Task<TokenResponse> tokenTask = tokenClient.RequestResourceOwnerPasswordAsync(txtROUser.Text, txtROPwd.Text, txtROScopes.Text);
    tokenTask.Wait();
    var tokenResponse = tokenTask.Result;    if (tokenResponse.IsError)
    {
        MessageBox.Show(tokenResponse.Error, "提示信息", MessageBoxButtons.OK, MessageBoxIcon.Information);
        txtROResult.Text = string.Empty;
        txtAccessToken.Text = string.Empty;
        return;
    }    txtROResult.Text = tokenResponse.Json.ToString();
    txtAccessToken.Text = tokenResponse.AccessToken;
}

调用Api

private void btnCallApi_Click(object sender, EventArgs e)
{
    // call api
    var client = new HttpClient();
    client.SetBearerToken(txtAccessToken.Text);    var responseTask = client.GetAsync(txtCCApiUrl.Text);
    responseTask.Wait();
    var response = responseTask.Result;
    if (!response.IsSuccessStatusCode)
    {
        MessageBox.Show(response.StatusCode.ToString(), "提示信息", MessageBoxButtons.OK, MessageBoxIcon.Information);
        txtApiResult.Text = string.Empty;
    }
    else
    {
        var contentTask = response.Content.ReadAsStringAsync();
        contentTask.Wait();
        var content = contentTask.Result;
        txtApiResult.Text = JArray.Parse(content).ToString();
    }
}

获取token过程解析

Jwt形式获取access_token、客户端身份验证两种方式，参考上一篇获取token过程解析。

Reference形式获取access_token

将client的AccessTokenType设置为1

再次获取的access_token不包含Claim信息。

此时获取的access_token(加密后)对应PersistedGrants表中的key

调用Api资源服务过程解析

调用过程与上一篇调用Api资源服务过程解析一样。