前言 上一篇【.Net Core微服務入門全紀錄(六)——EventBus-事件匯流排】中使用CAP完成了一個簡單的Eventbus,實現了服務之間的解耦和非同步調用,並且做到數據的最終一致性。這一篇將使用IdentityServer4來搭建一個鑒權中心,來完成授權認證相關的功能。 IdentitySe ...
Tips:本篇已加入系列文章閱讀目錄,可點擊查看更多相關文章。
前言
上一篇【.Net Core微服務入門全紀錄(六)——EventBus-事件匯流排】中使用CAP完成了一個簡單的Eventbus,實現了服務之間的解耦和非同步調用,並且做到數據的最終一致性。這一篇將使用IdentityServer4來搭建一個鑒權中心,來完成授權認證相關的功能。
IdentityServer4官方文檔:https://identityserver4.readthedocs.io/
鑒權中心
創建ids4項目
關於IdentityServer4的基本介紹和模板安裝可以看一下我的另一篇博客【IdentityServer4 4.x版本 配置Scope的正確姿勢】,下麵直接從創建項目開始。
來到我的項目目錄下執行:dotnet new is4inmem --name IDS4.AuthCenter
執行完成後會生成以下文件:
用vs2019打開之前的解決方案,把剛剛創建的ids項目添加進來:
將此項目設為啟動項,先運行看一下效果:
項目正常運行,下麵需要結合我們的業務稍微修改一下預設代碼。
鑒權中心配置
修改Startup的ConfigureServices方法:
// in-memory, code config
builder.AddInMemoryIdentityResources(Config.IdentityResources);
builder.AddInMemoryApiScopes(Config.ApiScopes);
builder.AddInMemoryApiResources(Config.ApiResources);
builder.AddInMemoryClients(Config.Clients);
Config類:
public static class Config
{
public static IEnumerable<IdentityResource> IdentityResources =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
public static IEnumerable<ApiResource> ApiResources =>
new ApiResource[]
{
new ApiResource("orderApi","訂單服務")
{
ApiSecrets ={ new Secret("orderApi secret".Sha256()) },
Scopes = { "orderApiScope" }
},
new ApiResource("productApi","產品服務")
{
ApiSecrets ={ new Secret("productApi secret".Sha256()) },
Scopes = { "productApiScope" }
}
};
public static IEnumerable<ApiScope> ApiScopes =>
new ApiScope[]
{
new ApiScope("orderApiScope"),
new ApiScope("productApiScope"),
};
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientId = "web client",
ClientName = "Web Client",
AllowedGrantTypes = GrantTypes.Code,
ClientSecrets = { new Secret("web client secret".Sha256()) },
RedirectUris = { "http://localhost:5000/signin-oidc" },
FrontChannelLogoutUri = "http://localhost:5000/signout-oidc",
PostLogoutRedirectUris = { "http://localhost:5000/signout-callback-oidc" },
AllowedScopes = new [] {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"orderApiScope", "productApiScope"
},
AllowAccessTokensViaBrowser = true,
RequireConsent = true,//是否顯示同意界面
AllowRememberConsent = false,//是否記住同意選項
}
};
}
Config中定義了2個api資源:orderApi,productApi。2個Scope:orderApiScope,productApiScope。1個客戶端:web client,使用Code授權碼模式,擁有openid,profile,orderApiScope,productApiScope 4個scope。
TestUsers類:
public class TestUsers
{
public static List<TestUser> Users
{
get
{
var address = new
{
street_address = "One Hacker Way",
locality = "Heidelberg",
postal_code = 69118,
country = "Germany"
};
return new List<TestUser>
{
new TestUser
{
SubjectId = "818727",
Username = "alice",
Password = "alice",
Claims =
{
new Claim(JwtClaimTypes.Name, "Alice Smith"),
new Claim(JwtClaimTypes.GivenName, "Alice"),
new Claim(JwtClaimTypes.FamilyName, "Smith"),
new Claim(JwtClaimTypes.Email, "[email protected]"),
new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
new Claim(JwtClaimTypes.WebSite, "http://alice.com"),
new Claim(JwtClaimTypes.Address, JsonSerializer.Serialize(address), IdentityServerConstants.ClaimValueTypes.Json)
}
},
new TestUser
{
SubjectId = "88421113",
Username = "bob",
Password = "bob",
Claims =
{
new Claim(JwtClaimTypes.Name, "Bob Smith"),
new Claim(JwtClaimTypes.GivenName, "Bob"),
new Claim(JwtClaimTypes.FamilyName, "Smith"),
new Claim(JwtClaimTypes.Email, "[email protected]"),
new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
new Claim(JwtClaimTypes.WebSite, "http://bob.com"),
new Claim(JwtClaimTypes.Address, JsonSerializer.Serialize(address), IdentityServerConstants.ClaimValueTypes.Json)
}
}
};
}
}
}
TestUsers沒有做修改,用項目模板預設生成的就行。這裡定義了2個用戶alice,bob,密碼與用戶名相同。
至此,鑒權中心的代碼修改就差不多了。這個項目也不放docker了,直接用vs來啟動,讓他運行在9080埠。/Properties/launchSettings.json修改一下:"applicationUrl": "http://localhost:9080"
Ocelot集成ids4
Ocelot保護api資源
鑒權中心搭建完成,下麵整合到之前的Ocelot.APIGateway網關項目中。
首先NuGet安裝IdentityServer4.AccessTokenValidation
修改Startup:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication("orderService", options =>
{
options.Authority = "http://localhost:9080";//鑒權中心地址
options.ApiName = "orderApi";
options.SupportedTokens = SupportedTokens.Both;
options.ApiSecret = "orderApi secret";
options.RequireHttpsMetadata = false;
})
.AddIdentityServerAuthentication("productService", options =>
{
options.Authority = "http://localhost:9080";//鑒權中心地址
options.ApiName = "productApi";
options.SupportedTokens = SupportedTokens.Both;
options.ApiSecret = "productApi secret";
options.RequireHttpsMetadata = false;
});
//添加ocelot服務
services.AddOcelot()
//添加consul支持
.AddConsul()
//添加緩存
.AddCacheManager(x =>
{
x.WithDictionaryHandle();
})
//添加Polly
.AddPolly();
}
修改ocelot.json配置文件:
{
"DownstreamPathTemplate": "/products",
"DownstreamScheme": "http",
"UpstreamPathTemplate": "/products",
"UpstreamHttpMethod": [ "Get" ],
"ServiceName": "ProductService",
......
"AuthenticationOptions": {
"AuthenticationProviderKey": "productService",
"AllowScopes": []
}
},
{
"DownstreamPathTemplate": "/orders",
"DownstreamScheme": "http",
"UpstreamPathTemplate": "/orders",
"UpstreamHttpMethod": [ "Get" ],
"ServiceName": "OrderService",
......
"AuthenticationOptions": {
"AuthenticationProviderKey": "orderService",
"AllowScopes": []
}
}
添加了AuthenticationOptions節點,AuthenticationProviderKey對應的是上面Startup中的定義。
Ocelot代理ids4
既然網關是客戶端訪問api的統一入口,那麼同樣可以作為鑒權中心的入口。使用Ocelot來做代理,這樣客戶端也無需知道鑒權中心的地址,同樣修改ocelot.json:
{
"DownstreamPathTemplate": "/{url}",
"DownstreamScheme": "http",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": 9080
}
],
"UpstreamPathTemplate": "/auth/{url}",
"UpstreamHttpMethod": [
"Get",
"Post"
],
"LoadBalancerOptions": {
"Type": "RoundRobin"
}
}
添加一個鑒權中心的路由,實際中鑒權中心也可以部署多個實例,也可以集成Consul服務發現,實現方式跟前面章節講的差不多,這裡就不再贅述。
讓網關服務運行在9070埠,/Properties/launchSettings.json修改一下:"applicationUrl": "http://localhost:9070"
客戶端集成
首先NuGet安裝Microsoft.AspNetCore.Authentication.OpenIdConnect
修改Startup:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:9070/auth";//通過網關訪問鑒權中心
//options.Authority = "http://localhost:9080";
options.ClientId = "web client";
options.ClientSecret = "web client secret";
options.ResponseType = "code";
options.RequireHttpsMetadata = false;
options.SaveTokens = true;
options.Scope.Add("orderApiScope");
options.Scope.Add("productApiScope");
});
services.AddControllersWithViews();
//註入IServiceHelper
//services.AddSingleton<IServiceHelper, ServiceHelper>();
//註入IServiceHelper
services.AddSingleton<IServiceHelper, GatewayServiceHelper>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceHelper serviceHelper)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
//程式啟動時 獲取服務列表
//serviceHelper.GetServices();
}
修改/Helper/IServiceHelper,方法定義增加accessToken參數:
/// <summary>
/// 獲取產品數據
/// </summary>
/// <param name="accessToken"></param>
/// <returns></returns>
Task<string> GetProduct(string accessToken);
/// <summary>
/// 獲取訂單數據
/// </summary>
/// <param name="accessToken"></param>
/// <returns></returns>
Task<string> GetOrder(string accessToken);
修改/Helper/GatewayServiceHelper,訪問介面時增加Authorization參數,傳入accessToken:
public async Task<string> GetOrder(string accessToken)
{
var Client = new RestClient("http://localhost:9070");
var request = new RestRequest("/orders", Method.GET);
request.AddHeader("Authorization", "Bearer " + accessToken);
var response = await Client.ExecuteAsync(request);
if (response.StatusCode != HttpStatusCode.OK)
{
return response.StatusCode + " " + response.Content;
}
return response.Content;
}
public async Task<string> GetProduct(string accessToken)
{
var Client = new RestClient("http://localhost:9070");
var request = new RestRequest("/products", Method.GET);
request.AddHeader("Authorization", "Bearer " + accessToken);
var response = await Client.ExecuteAsync(request);
if (response.StatusCode != HttpStatusCode.OK)
{
return response.StatusCode + " " + response.Content;
}
return response.Content;
}
最後是/Controllers/HomeController的修改。添加Authorize標記:
[Authorize]
public class HomeController : Controller
修改Index action,獲取accessToken並傳入:
public async Task<IActionResult> Index()
{
var accessToken = await HttpContext.GetTokenAsync("access_token");
ViewBag.OrderData = await _serviceHelper.GetOrder(accessToken);
ViewBag.ProductData = await _serviceHelper.GetProduct(accessToken);
return View();
}
至此,客戶端集成也已完成。
測試
為了方便,鑒權中心、網關、web客戶端這3個項目都使用vs來啟動,他們的埠分別是9080,9070,5000。之前的OrderAPI和ProductAPI還是在docker中不變。
為了讓vs能同時啟動多個項目,需要設置一下,解決方案右鍵屬性:
Ctor+F5啟動項目。
3個項目都啟動完成後,瀏覽器訪問web客戶端:http://localhost:5000/
因為我還沒登錄,所以請求直接被重定向到了鑒權中心的登錄界面。使用alice/alice這個賬戶登錄系統。
登錄成功後,進入授權同意界面,你可以同意或者拒絕,還可以選擇勾選scope許可權。點擊Yes,Allow按鈕同意授權:
同意授權後,就能正常訪問客戶端界面了。下麵測試一下部分授權,這裡沒做登出功能,只能手動清理一下瀏覽器Cookie,ids4登出功能也很簡單,可以自行百度。
清除Cookie後,刷新頁面又會轉到ids4的登錄界面,這次使用bob/bob登錄:
這次只勾選orderApiScope,點擊Yes,Allow:
這次客戶端就只能訪問訂單服務了。當然也可以在鑒權中心去限制客戶端的api許可權,也可以在網關層面ocelot.json中限制,相信你已經知道該怎麼做了。
總結
本文主要完成了IdentityServer4鑒權中心、Ocelot網關、web客戶端之間的整合,實現了系統的統一授權認證。授權認證是幾乎每個系統必備的功能,而IdentityServer4是.Net Core下優秀的授權認證方案。再次推薦一下B站@solenovex 楊老師的視頻,地址:https://www.bilibili.com/video/BV16b411k7yM ,雖然視頻有點老了,但還是非常受用。
需要代碼的點這裡:https://github.com/xiajingren/NetCoreMicroserviceDemo
