public static class Config
{
public static IEnumerable<Client> Clients => new Client[]
{
new Client()
{
ClientId="client",
AllowedGrantTypes =
{
GrantTypes.Password,
GrantTypes.ClientCredentials
},
ClientSecrets =
{
new Secret("secret".Sha512())
},
AllowedScopes =
{
"api",
}
}
};
public static IEnumerable<IResource> Resources => new IResource[]
{
new ApiScope("api")
{
},
//如果不是reference不需要定义ApiResource
new ApiResource("orderapi")
{
ClaimTypes = new string[]
{
JwtClaimTypes.Role
},
Scopes =
{
"api",
},
ApiSecrets =
{
new Secret("secret".Sha256())
}
},
IdentityResources.OpenId,
};
}
using IdentityServer;
//注入identityserver服务
builder.Services.AddIdentityServer(o =>
{
//建议配置固定的IssuerUri,因为默认的IssuerUri是根据HttpContext.Request动态计算的
//如果内网之间访问,那么就是内网ip,(一般api服务和identityserver之间是走内网的)
//但是用户注册时走到又是外网,获取的IssuerUri就是外网链接了,将导致api服务token验证失败的issusr
o.IssuerUri = "https://www.baidu.com";
})
.AddResourceOwnerCredentialRequestValidator<ResourceOwnerCredentialRequestValidator>()
.AddExtensionGrantValidator<MyExtensionGrantValidator>()
.AddProfileService<ProfileService>()
.AddInMemoryStores(setup =>
{
setup.AddClients(Config.Clients);
setup.AddResources(Config.Resources);
setup.AddDeveloperSigningCredentials();
});
//添加本地api认证
builder.Services.AddLoaclApiAuthentication();
builder.Services.AddAuthorization()
.AddAuthorization(configure =>
{
configure.AddPolicy("default", p => p.RequireAuthenticatedUser());
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
//启用identityserver
app.UseIdentityServer();
//如果需要验证本地api时启用(必须先注册AddLoaclApiAuthentication服务项)
app.UseAuthentication();//启用认证
app.UseAuthorization();//启用授权
app.MapControllers()
.RequireAuthorization("default");//启用defalut授权方案
app.Run();