🔄refactor: 使用OpenIddict 重构Identity

This commit is contained in:
yubaolee
2026-06-25 23:42:43 +08:00
parent 7a34fa7c51
commit 5e6ca18770
42 changed files with 697 additions and 2074 deletions

View File

@@ -1,11 +1,8 @@
// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
using System;
using System;
using System.Linq;
using Autofac;
using Infrastructure;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.EntityFrameworkCore;
@@ -14,7 +11,12 @@ using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using OpenAuth.App;
using OpenAuth.Repository;
using OpenIddict.Abstractions;
using SqlSugar;
using OpenIddict.Server;
using OpenAuth.IdentityServer.Handlers;
using static OpenIddict.Abstractions.OpenIddictConstants;
using static OpenIddict.Server.OpenIddictServerEvents;
namespace OpenAuth.IdentityServer
{
@@ -32,41 +34,69 @@ namespace OpenAuth.IdentityServer
{
services.AddControllersWithViews();
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApis())
.AddInMemoryClients(Config.GetClients(Environment.IsProduction()))
.AddProfileService<CustomProfileService>();
// Cookie 认证(用于登录页面维持会话)
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.LoginPath = "/Account/Login";
options.LogoutPath = "/Account/Logout";
});
// OpenIddict 配置
services.AddOpenIddict()
.AddServer(options =>
{
// 启用授权码流程 + PKCEVue3 前端使用)
options.AllowAuthorizationCodeFlow()
.RequireProofKeyForCodeExchange();
// 启用隐式流程Swagger 使用)
options.AllowImplicitFlow();
// 配置端点 URI
options.SetAuthorizationEndpointUris("/connect/authorize")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo")
.SetLogoutEndpointUris("/connect/logout");
// 注册 scope
options.RegisterScopes(Scopes.OpenId, Scopes.Profile, "openauthapi");
// 开发环境使用临时证书
options.AddDevelopmentEncryptionCertificate()
.AddDevelopmentSigningCertificate();
// 禁用 access_token 加密,让 WebApi 的 JwtBearer 能直接验证
options.DisableAccessTokenEncryption();
// 禁用降级模式下的强制 scope/client 验证
options.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.DisableTransportSecurityRequirement(); // 开发环境允许 HTTP生产环境应移除
// 降级模式:不使用数据库存储,手动处理验证
options.EnableDegradedMode();
// 注册自定义验证 handler降级模式必须
options.AddEventHandler<ValidateAuthorizationRequestContext>(builder =>
builder.UseSingletonHandler<ValidateAuthorizationRequestHandler>());
options.AddEventHandler<ValidateTokenRequestContext>(builder =>
builder.UseSingletonHandler<ValidateTokenRequestHandler>());
options.AddEventHandler<ValidateLogoutRequestContext>(builder =>
builder.UseSingletonHandler<ValidateLogoutRequestHandler>());
})
.AddValidation(options =>
{
options.UseLocalServer();
options.UseAspNetCore();
});
services.ConfigureNonBreakingSameSiteCookies();
services.AddCors();
// todo:如果正式 环境请用下面的方式限制随意访问跨域
// var origins = new []
// {
// "http://localhost:1803",
// "http://localhost:52789"
// };
// if (Environment.IsProduction())
// {
// origins = new []
// {
// "http://demo.openauth.net.cn:1803",
// "http://demo.openauth.net.cn:52789"
// };
// }
// services.AddCors(option=>option.AddPolicy("cors", policy =>
// policy.AllowAnyHeader().AllowAnyMethod().AllowCredentials().WithOrigins(origins)));
//全部用测试环境正式环境请参考https://www.cnblogs.com/guolianyu/p/9872661.html
//if (Environment.IsDevelopment())
//{
builder.AddDeveloperSigningCredential();
//}
//else
//{
// throw new Exception("need to configure key material");
//}
services.AddAuthentication();
@@ -153,7 +183,7 @@ namespace OpenAuth.IdentityServer
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>