AllowedScopes in the IdentityServer4 authorization configurationClient sets the specific API site name, which is the ## set by the user. #ApiName, sample code:
//授权中心配置new Client
{
ClientId = "client_id_1",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowOfflineAccess = true,
AccessTokenLifetime = 3600 * 6, //6小时SlidingRefreshTokenLifetime = 1296000, //15天ClientSecrets =
{new Secret("secret".Sha256())
},
AllowedScopes =
{"api_name1"},
}//API 服务配置app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = $"http://localhost:5000",
ApiName = "api_name1",
RequireHttpsMetadata = false});api_name1 configurations must be consistent. The problem arises because the scope## of the authorization center #The configuration is the entire API service. If we have multiple Client configurations, such as a frontend and a backend, and then both need to access api_name1, some problems will occur. For example, an interface service configuration code in the
service:
[Authorize()]
[Route("api/values")]
[HttpGet]public IActionResult Get()
{return Ok();
} configuration, description api/valuesThe interface needs to be accessed after authorization. If the authorization center is configured with two Client (frontend and backend), and scope both contain api_name1 , now there will be two situations:
and backend Client, both require authorization to access api/valuesInterface: No problem.
does not require authorization for access, backgroundClient requires authorization for access: There is a problem, front deskClient There is no way to access it because the api/values interface is set with Authorize().
to authorize access? For example: [Authorize(ClientId = 'client_id_1')]. 2. Solution
this solution, but you can use [Authorize(Roles = ' admin')]. The
code of the authorization center is modified as follows:
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{private readonly IUserService _userService;public ResourceOwnerPasswordValidator(IUserService userService)
{
_userService = userService;
}public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{var user = await _userService.Login(context.UserName, context.Password);if (user != null)
{var claims = new List<Claim>() { new Claim("role", "admin") }; //根据 user 对象,设置不同的 rolecontext.Result = new GrantValidationResult(user.UserId.ToString(), OidcConstants.AuthenticationMethods.Password, claims);
}
}
} configuration of the authorization center is modified as follows
var builder = services.AddIdentityServer();
builder.AddTemporarySigningCredential()//.AddInMemoryIdentityResources(Config.GetIdentityResources()).AddInMemoryApiResources(new List<ApiResource>
{new ApiResource("api_name1", "api1"){ UserClaims = new List<string> {"role"}}, //增加 role claimnew ApiResource("api_name2", "api2"){ UserClaims = new List<string> {"role"}}
})
.AddInMemoryClients(Config.GetClients());[Authorize()]
[Route("api/values")]
[HttpGet]public IActionResult Get()
{return Ok();
}
[Authorize(Roles = "admin")]
[Route("api/values2")]
[HttpGet]public IActionResult Get2()
{return Ok();
}
[Authorize(Roles = "admin,normal")]
[Route("api/values3")]
[HttpGet]public IActionResult Get3()
{return Ok();
} interface does not Set specific Roles, but each Role is accessible.
The above is the detailed content of IdentityServer4 authorization configuration AllowedScopes instance. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
