IdentityServer4 實現鑒權、授權,AspNetCore Identity實現資料庫用戶管理表直接生成。 ps:IdentityServer4文檔上最後給的例子是 // 配置使用記憶體存儲用戶信息,但使用 EF 存儲客戶端和資源信息, 我初步要實現的是 //資料庫存儲用戶信息 記憶體存儲資源 ...
IdentityServer4 實現鑒權、授權,AspNetCore Identity實現資料庫用戶管理表直接生成。
ps:IdentityServer4文檔上最後給的例子是 // 配置使用記憶體存儲用戶信息,但使用 EF 存儲客戶端和資源信息,
我初步要實現的是 //資料庫存儲用戶信息 記憶體存儲資源 (下一步資源也放資料庫 以後弄好了有機會更)
直接幹活:
1.創建.Net6 API程式,一頓引用,包括
防止圖片掛掉打一遍文字:
IdentityServer4、
IdengtityServer4.AspNetIdentity、
AspNetCore.Identity.EntityFrameWorkCore(生成資料庫表用的)、
EntityFrameWork+Disign+Tool三件套 (缺了不能自動遷移)、
Pomelo.EntityFrameWorkCore.MySql(我是用的MySql,如果是SqlServer 不用這個用一個大概叫EF.Sqlserver的)、
Encrypt (加密MD5用的 不必須)、
下麵那個是自帶的。
2.建立資料庫連接類
1 public class IdpDbContext : IdentityDbContext<ApplicationUser> 2 { 3 public IdpDbContext(DbContextOptions<IdpDbContext> opt) : base(opt) 4 { 5 6 } 7 protected override void OnModelCreating(ModelBuilder builder) 8 { 9 base.OnModelCreating(builder); 10 builder.Entity<ApplicationUser>().ToTable("ApplicationUsers"); 11 #region # 12 //builder.Entity<IdentityUserLogin<string>>().ToTable("ApplicationLogins"); 13 //builder.Entity<IdentityUserClaim<string>>().ToTable("ApplicationUserClaims"); 14 //builder.Entity<ApplicationUserRole>().ToTable("ApplicationUserRoles"); 15 //builder.Entity<IdentityUserToken<string>>().ToTable("ApplicationUserTokens"); 16 //builder.Entity<ApplicationRole>().ToTable("ApplicationRoles"); 17 //builder.Entity<IdentityRoleClaim<string>>().ToTable("ApplicationRoleClaims"); 18 //builder.Entity<ApplicationUserRole>().HasKey(t => t.Id).HasName("PK_UserRole_ID_KEY"); 19 #endregion 20 21 builder.Entity<ApplicationUser>().HasData( 22 new ApplicationUser() 23 { 24 Id = Guid.NewGuid().ToString(), 25 RealName = "alice1", 26 UserName = "alice1", 27 PasswordHash = "alice1" 28 }); 29 #region 初始化用戶與角色的種子數據 30 //1. 更新用戶與角色的外鍵 31 builder.Entity<ApplicationUser>( 32 u => u.HasMany(x => x.UserRoles).WithOne().HasForeignKey(ur => ur.UserId).IsRequired() 33 ); 34 //2. 添加管理員角色 35 var adminRoleId = "f8df1775-e889-46f4-acdd-421ec8d9ba64"; 36 builder.Entity<IdentityRole>().HasData( 37 new IdentityRole() 38 { 39 Id = adminRoleId, 40 Name = "Admin", 41 NormalizedName = "Admin".ToUpper() 42 } 43 ); 44 //3. 添加用戶 45 var adminUserId = "f8df1775-e889-46f4-acdd-421ec8d9ba65"; 46 ApplicationUser adminUser = new ApplicationUser 47 { 48 Id = adminUserId, 49 UserName = "admin", 50 NormalizedUserName= "admin".ToUpper(), 51 RealName = "admin", 52 NormalizedEmail = "[email protected]".ToUpper(), 53 Email = "[email protected]", 54 TwoFactorEnabled = false, 55 EmailConfirmed = true, 56 PhoneNumber = "123456789", 57 PhoneNumberConfirmed = false, 58 59 }; 60 MyPasswordHasher ph = new MyPasswordHasher(); 61 adminUser.PasswordHash = ph.HashPassword(adminUser, "123456"); 62 builder.Entity<ApplicationUser>().HasData(adminUser); 63 //4. 給用戶加入管理員角色 64 builder.Entity<IdentityUserRole<string>>().HasData( 65 new IdentityUserRole<string>() 66 { 67 RoleId = adminRoleId, 68 UserId = adminUserId 69 } 70 ); 71 #endregion 72 73 } 74 }View Code
3.Program里開始加東西(如果是歷史的Net版本,是在StartUp里):
直接代碼
1 using Microsoft.AspNetCore.Identity; 2 using Microsoft.EntityFrameworkCore; 3 using MyIDP; 4 using MyIDP.Models; 5 using MyIDP.Permission; 6 7 var builder = WebApplication.CreateBuilder(args); 8 9 // Add services to the container. 10 builder.Services.AddControllers(); 11 // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle 12 builder.Services.AddEndpointsApiExplorer(); 13 builder.Services.AddSwaggerGen(); 14 15 //由此重要 16 builder.Services.AddDbContext<IdpDbContext>(opt => 17 { 18 opt.UseMySql("server=127.0.0.1;Port=3306;database=AccountDb;uid=root;pwd=123456;", new MySqlServerVersion(new Version(8,0,29))); 19 }); 20 21 builder.Services.AddIdentity<ApplicationUser, IdentityRole>() 22 .AddUserManager<MyUserManager>() 23 .AddEntityFrameworkStores<IdpDbContext>() 24 .AddDefaultTokenProviders(); 25 26 builder.Services.AddIdentityServer() 27 .AddDeveloperSigningCredential() 28 29 .AddInMemoryIdentityResources(MyIDP.IdpConfig.GetIdentityResources()) 30 .AddInMemoryClients(MyIDP.IdpConfig.GetClients()) 31 .AddInMemoryApiScopes( MyIDP.IdpConfig.GetScope()) 32 .AddInMemoryApiResources( MyIDP.IdpConfig.GetApiResources()) //.AddResourceOwnerValidator<MyResourceOwnerPasswordValidator>() //這句可以打開自主驗證登錄用戶 33 //.AddProfileService<MyProfileService>() 34 .AddAspNetIdentity<ApplicationUser>() 35 //.AddTestUsers(new List<IdentityServer4.Test.TestUser> 36 //{ 37 // new IdentityServer4.Test.TestUser 38 // { 39 // SubjectId="123", 40 // Username = "alice", 41 // Password = "alice", 42 // Claims = new List<Claim>() { 43 // new Claim(JwtClaimTypes.Role, "superadmin"), 44 // new Claim(JwtClaimTypes.Role, "admin") 45 // } 46 // } 47 //}) 48 ; 49 50 var app = builder.Build(); 51 52 // Configure the HTTP request pipeline. 53 if (app.Environment.IsDevelopment()) 54 { 55 app.UseSwagger(); 56 app.UseSwaggerUI(); 57 } 58 59 app.UseIdentityServer(); 60 app.UseAuthorization(); 61 app.MapControllers(); 62 app.Run();
因為使用的是記憶體儲存t鑒權信息的方式,所以建立IdentityServer4的配置類IdpConfig
1 public static class IdpConfig 2 { 3 public static IEnumerable<IdentityResource> GetIdentityResources() 4 { 5 return new IdentityResource[] 6 { 7 new IdentityResources.OpenId(), 8 new IdentityResources.Profile(), 9 new IdentityResources.Address(), 10 new IdentityResources.Phone(), 11 new IdentityResources.Email() 12 }; 13 } 14 15 public static IEnumerable<ApiResource> GetApiResources() 16 { 17 //return new ApiResource[] 18 //{ 19 // new ApiResource("api1", "My API #1",new List<string>(){JwtClaimTypes.Role}) 20 //}; 21 //新寫法 22 return new[] 23 { 24 new ApiResource("api1", "My API #1") 25 { 26 Scopes = { "scope1"} 27 } 28 }; 29 } 30 31 public static IEnumerable<Client> GetClients() 32 { 33 return new[] 34 { 35 #region MyRegion 36 //// client credentials flow client 37 //new Client 38 //{ 39 // ClientId = "console client", 40 // ClientName = "Client Credentials Client", 41 42 // AllowedGrantTypes = GrantTypes.ClientCredentials, 43 44 // ClientSecrets = { new Secret("511536EF-F270-4058-80CA-1C89C192F69A".Sha256()) }, 45 46 // AllowedScopes = { "api1" } 47 //}, 48 49 #endregion 50 51 // wpf client, password grant 52 new Client 53 { 54 ClientId = "client", 55 AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, 56 ClientSecrets = 57 { 58 new Secret("secret".Sha256()) 59 }, 60 AllowedScopes = //允許當訪問的資源 61 { 62 "scope1", 63 //"api1", 64 IdentityServerConstants.StandardScopes.OpenId, 65 IdentityServerConstants.StandardScopes.Email, 66 IdentityServerConstants.StandardScopes.Address, 67 IdentityServerConstants.StandardScopes.Phone, 68 IdentityServerConstants.StandardScopes.Profile } 69 } 70 }; 71 } 72 73 public static IEnumerable<ApiScope> GetScope() 74 { 75 return new ApiScope[] { 76 new ApiScope("scope1"), 77 new ApiScope("scope2"), 78 }; 79 } 80 }View Code
資料庫的usernamager
1 public class MyUserManager : UserManager<ApplicationUser> 2 { 3 public MyUserManager(IUserStore<ApplicationUser> store, IOptions<IdentityOptions> optionsAccessor, IPasswordHasher<ApplicationUser> passwordHasher, 4 IEnumerable<IUserValidator<ApplicationUser>> userValidators, IEnumerable<IPasswordValidator<ApplicationUser>> passwordValidators, ILookupNormalizer keyNormalizer, IdentityErrorDescriber errors, IServiceProvider services, ILogger<UserManager<ApplicationUser>> logger) 5 : base(store, optionsAccessor, new MyPasswordHasher(), userValidators, passwordValidators, keyNormalizer, errors, services, logger) 6 { 7 optionsAccessor.Value.Password.RequireDigit = false; 8 optionsAccessor.Value.Password.RequiredLength = 4; 9 optionsAccessor.Value.Password.RequireLowercase = false; 10 optionsAccessor.Value.Password.RequireUppercase = false; 11 optionsAccessor.Value.Password.RequireNonAlphanumeric = false; 12 } 13 14 }View Code
重寫驗證密碼的方法類MyResourceOwnerPasswordValidator,(如果沒有打開Program中的AddResourceOwnerValidator<MyResourceOwnerPasswordValidator>() 則不需要)
public class MyResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator { public readonly SignInManager<ApplicationUser> signInManager; private readonly MyUserManager userManager; //public readonly IEventService service; public MyResourceOwnerPasswordValidator(MyUserManager userService, SignInManager<ApplicationUser> signInManager)//, IEventService service) { userManager = userService; this.signInManager = signInManager; //this.service = service; } public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context) { if (string.IsNullOrEmpty(context.UserName) || string.IsNullOrEmpty(context.Password)) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "驗證被拒絕,用戶名或者密碼為空。"); return; } var user = await userManager.FindByNameAsync(context.UserName); if (user == null) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "驗證失敗,不存在當前用戶。"); return; } //檢驗用戶密碼(雖然我也不知道他的密碼是採用什麼加密方式得到的,但是我也不需要知道) var passwordPass = await userManager.CheckPasswordAsync(user, context.Password); if (!passwordPass) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "驗證失敗,用戶憑證錯誤"); return; } else { try { await userManager.AddLoginAsync(user, new UserLoginInfo(user.Id, "", user.UserName)); } catch (Exception ex) { ; } finally { context.Result = new GrantValidationResult(user.Id, GrantType.ResourceOwnerPassword, new List<Claim>() { new Claim("account", user.UserName) }); } } return; } }View Code
MyPasswordHasher
1 public class MyPasswordHasher : PasswordHasher<ApplicationUser> 2 { 3 public override string HashPassword(ApplicationUser user, string password) 4 { 5 //PasswordHasher<ApplicationUser> ph = new PasswordHasher<ApplicationUser>(); 6 //var pstr = ph.HashPassword(new ApplicationUser(), password); 7 //return pstr; 8 return password.MD5(); 9 } 10 11 public override PasswordVerificationResult VerifyHashedPassword(ApplicationUser user, string hashedPassword, string providedPassword) 12 { 13 if (providedPassword.MD5().Equals(hashedPassword)) 14 { 15 return PasswordVerificationResult.Success; 16 } 17 else 18 { 19 return PasswordVerificationResult.Failed; 20 } 21 } 22 }View Code
創建自己的User類 ApplicationUser繼承 IdentityUser 覆寫自帶的AspNetUser表
public class ApplicationUser : IdentityUser { public string MySomething { get; set; } = ""; /// <summary> /// 創建時間 /// </summary> public DateTime CreateTime { get; set; } /// <summary> /// 創建人Id /// </summary> public string CreatorId { get; set; } = ""; /// <summary> /// 否已刪除 /// </summary> public bool Deleted { get; set; } /// <summary> /// 姓名 /// </summary> public string RealName { get; set; } /// <summary> /// 性別 /// </summary> public Sex Sex { get; set; } /// <summary> /// 出生日期 /// </summary> public DateTime? Birthday { get; set; } /// <summary> /// 所屬部門Id /// </summary> public string DepartmentId { get; set; } = ""; public string OtherData { get; set; } = ""; // 用戶角色 用戶許可權 用戶信息 用戶登錄tokens 重新綁定與父類的關係 命名必須和父類一致 public virtual ICollection<IdentityUserRole<string>> UserRoles { get; set; } public virtual ICollection<IdentityUserClaim<string>> Claims { get; set; } public virtual ICollection<IdentityUserLogin<string>> Logins { get; set; } public virtual ICollection<IdentityUserToken<string>> Tokens { get; set; } } public enum Sex { [Description("男")] Man = 1, [Description("女")] Woman = 0 }View Code
至此可以生成資料庫遷移後 Postman測試一下
