mirror of
https://gitee.com/dotnetchina/OpenAuth.Net.git
synced 2026-07-14 03:23:48 +08:00
🔄refactor: 使用OpenIddict 重构Identity
This commit is contained in:
@@ -1,11 +1,8 @@
|
||||
// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
|
||||
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
|
||||
|
||||
|
||||
using System;
|
||||
using System;
|
||||
using System.Linq;
|
||||
using Autofac;
|
||||
using Infrastructure;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.AspNetCore.Builder;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
@@ -14,7 +11,12 @@ using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Hosting;
|
||||
using OpenAuth.App;
|
||||
using OpenAuth.Repository;
|
||||
using OpenIddict.Abstractions;
|
||||
using SqlSugar;
|
||||
using OpenIddict.Server;
|
||||
using OpenAuth.IdentityServer.Handlers;
|
||||
using static OpenIddict.Abstractions.OpenIddictConstants;
|
||||
using static OpenIddict.Server.OpenIddictServerEvents;
|
||||
|
||||
namespace OpenAuth.IdentityServer
|
||||
{
|
||||
@@ -32,41 +34,69 @@ namespace OpenAuth.IdentityServer
|
||||
{
|
||||
services.AddControllersWithViews();
|
||||
|
||||
var builder = services.AddIdentityServer()
|
||||
.AddInMemoryIdentityResources(Config.GetIdentityResources())
|
||||
.AddInMemoryApiResources(Config.GetApis())
|
||||
.AddInMemoryClients(Config.GetClients(Environment.IsProduction()))
|
||||
.AddProfileService<CustomProfileService>();
|
||||
// Cookie 认证(用于登录页面维持会话)
|
||||
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
|
||||
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
|
||||
{
|
||||
options.LoginPath = "/Account/Login";
|
||||
options.LogoutPath = "/Account/Logout";
|
||||
});
|
||||
|
||||
// OpenIddict 配置
|
||||
services.AddOpenIddict()
|
||||
.AddServer(options =>
|
||||
{
|
||||
// 启用授权码流程 + PKCE(Vue3 前端使用)
|
||||
options.AllowAuthorizationCodeFlow()
|
||||
.RequireProofKeyForCodeExchange();
|
||||
|
||||
// 启用隐式流程(Swagger 使用)
|
||||
options.AllowImplicitFlow();
|
||||
|
||||
// 配置端点 URI
|
||||
options.SetAuthorizationEndpointUris("/connect/authorize")
|
||||
.SetTokenEndpointUris("/connect/token")
|
||||
.SetUserinfoEndpointUris("/connect/userinfo")
|
||||
.SetLogoutEndpointUris("/connect/logout");
|
||||
|
||||
// 注册 scope
|
||||
options.RegisterScopes(Scopes.OpenId, Scopes.Profile, "openauthapi");
|
||||
|
||||
// 开发环境使用临时证书
|
||||
options.AddDevelopmentEncryptionCertificate()
|
||||
.AddDevelopmentSigningCertificate();
|
||||
|
||||
// 禁用 access_token 加密,让 WebApi 的 JwtBearer 能直接验证
|
||||
options.DisableAccessTokenEncryption();
|
||||
|
||||
// 禁用降级模式下的强制 scope/client 验证
|
||||
options.UseAspNetCore()
|
||||
.EnableAuthorizationEndpointPassthrough()
|
||||
.EnableTokenEndpointPassthrough()
|
||||
.EnableUserinfoEndpointPassthrough()
|
||||
.EnableLogoutEndpointPassthrough()
|
||||
.DisableTransportSecurityRequirement(); // 开发环境允许 HTTP(生产环境应移除)
|
||||
|
||||
// 降级模式:不使用数据库存储,手动处理验证
|
||||
options.EnableDegradedMode();
|
||||
|
||||
// 注册自定义验证 handler(降级模式必须)
|
||||
options.AddEventHandler<ValidateAuthorizationRequestContext>(builder =>
|
||||
builder.UseSingletonHandler<ValidateAuthorizationRequestHandler>());
|
||||
options.AddEventHandler<ValidateTokenRequestContext>(builder =>
|
||||
builder.UseSingletonHandler<ValidateTokenRequestHandler>());
|
||||
options.AddEventHandler<ValidateLogoutRequestContext>(builder =>
|
||||
builder.UseSingletonHandler<ValidateLogoutRequestHandler>());
|
||||
})
|
||||
.AddValidation(options =>
|
||||
{
|
||||
options.UseLocalServer();
|
||||
options.UseAspNetCore();
|
||||
});
|
||||
|
||||
services.ConfigureNonBreakingSameSiteCookies();
|
||||
|
||||
services.AddCors();
|
||||
// todo:如果正式 环境请用下面的方式限制随意访问跨域
|
||||
// var origins = new []
|
||||
// {
|
||||
// "http://localhost:1803",
|
||||
// "http://localhost:52789"
|
||||
// };
|
||||
// if (Environment.IsProduction())
|
||||
// {
|
||||
// origins = new []
|
||||
// {
|
||||
// "http://demo.openauth.net.cn:1803",
|
||||
// "http://demo.openauth.net.cn:52789"
|
||||
// };
|
||||
// }
|
||||
// services.AddCors(option=>option.AddPolicy("cors", policy =>
|
||||
// policy.AllowAnyHeader().AllowAnyMethod().AllowCredentials().WithOrigins(origins)));
|
||||
|
||||
//全部用测试环境,正式环境请参考https://www.cnblogs.com/guolianyu/p/9872661.html
|
||||
//if (Environment.IsDevelopment())
|
||||
//{
|
||||
builder.AddDeveloperSigningCredential();
|
||||
//}
|
||||
//else
|
||||
//{
|
||||
// throw new Exception("need to configure key material");
|
||||
//}
|
||||
|
||||
services.AddAuthentication();
|
||||
|
||||
@@ -153,7 +183,7 @@ namespace OpenAuth.IdentityServer
|
||||
app.UseStaticFiles();
|
||||
app.UseRouting();
|
||||
|
||||
app.UseIdentityServer();
|
||||
app.UseAuthentication();
|
||||
app.UseAuthorization();
|
||||
|
||||
app.UseEndpoints(endpoints =>
|
||||
|
||||
Reference in New Issue
Block a user