曹鹏飞
10 months ago
commit
fd676201ec
34 changed files with 1384 additions and 0 deletions
@ -0,0 +1,3 @@ |
|||||
|
.vs |
||||
|
bin |
||||
|
obj |
||||
@ -0,0 +1,49 @@ |
|||||
|
using Flurl; |
||||
|
using Flurl.Http; |
||||
|
using HuiXin.Gateway.Ocelot.Configurations; |
||||
|
using Microsoft.Extensions.Options; |
||||
|
using Ocelot.Errors; |
||||
|
using Ocelot.Infrastructure.Claims.Parser; |
||||
|
using Ocelot.Responses; |
||||
|
using Serilog; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Authorizers |
||||
|
{ |
||||
|
public class HttpRolesAuthorizer : RolesAuthorizerBase, IRolesAuthorizer |
||||
|
{ |
||||
|
private readonly string _url; |
||||
|
private readonly FlurlClient _client; |
||||
|
|
||||
|
public HttpRolesAuthorizer(IClaimsParser claimsParser, IOptions<RolesAuthorizerConfiguration> configuration) : base(claimsParser, configuration) |
||||
|
{ |
||||
|
_url = _configs.Url ?? throw new Exception("未配置角色验证的Url地址"); |
||||
|
_client = new FlurlClient(_url); |
||||
|
_client.Settings.Timeout = TimeSpan.FromMilliseconds(_configs.Timeout); |
||||
|
_client.Settings.Redirects.Enabled = false; |
||||
|
} |
||||
|
|
||||
|
public async Task<Response<bool>> Authorize(List<string> roles, string path) |
||||
|
{ |
||||
|
try |
||||
|
{ |
||||
|
bool pass = await _client.Request().AppendQueryParam("roles", roles).AppendQueryParam("path", path).GetJsonAsync<bool>(); |
||||
|
if (pass) |
||||
|
{ |
||||
|
return await ReturnAsync(new OkResponse<bool>(true)); |
||||
|
} |
||||
|
else |
||||
|
{ |
||||
|
return await ReturnAsync(new ErrorResponse<bool>(new HttpRolesAuthorizerFail("用户没有访问权限"))); |
||||
|
} |
||||
|
} |
||||
|
catch (Exception ex) |
||||
|
{ |
||||
|
Log.Error(ex.Message, "验证用户角色权限出错"); |
||||
|
return await ReturnAsync(new ErrorResponse<bool>(new HttpRolesAuthorizerError("验证用户角色权限出错"))); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
public class HttpRolesAuthorizerError(string message) : Error(message, OcelotErrorCode.UnableToCompleteRequestError, 500){} |
||||
|
public class HttpRolesAuthorizerFail(string message) : Error(message, OcelotErrorCode.UnauthorizedError, 403){} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
using Ocelot.Responses; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Authorizers |
||||
|
{ |
||||
|
public interface IRolesAuthorizer |
||||
|
{ |
||||
|
Task<Response<bool>> Authorize(List<string> roles, string path); |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,24 @@ |
|||||
|
using HuiXin.Gateway.Ocelot.Configurations; |
||||
|
using Microsoft.Extensions.Options; |
||||
|
using Ocelot.Infrastructure.Claims.Parser; |
||||
|
using Ocelot.Responses; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Authorizers |
||||
|
{ |
||||
|
public class RolesAuthorizerBase |
||||
|
{ |
||||
|
protected readonly IClaimsParser _claimsParser; |
||||
|
protected RolesAuthorizerConfiguration _configs; |
||||
|
|
||||
|
public RolesAuthorizerBase(IClaimsParser claimsParser, IOptions<RolesAuthorizerConfiguration> cfg) |
||||
|
{ |
||||
|
_claimsParser = claimsParser; |
||||
|
_configs = cfg.Value ?? throw new Exception("未配置角色验证参数"); |
||||
|
} |
||||
|
|
||||
|
protected async Task<Response<T>> ReturnAsync<T>(Response<T> response) |
||||
|
{ |
||||
|
return await Task.FromResult(response); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,6 @@ |
|||||
|
{ |
||||
|
"AuthenticationScheme": "MyKey", |
||||
|
"Authority": "http://localhost:5001", |
||||
|
"Audience": "huixin", |
||||
|
"IssuerSigningKeyBase64": "GcTdqSZdpRxBtdtgwvDHBzS427VGTQzbM+JD1CBbUZY=" |
||||
|
} |
||||
@ -0,0 +1,54 @@ |
|||||
|
{ |
||||
|
"Routes": [ |
||||
|
{ |
||||
|
"UpstreamHttpMethod": [ "Get" ], |
||||
|
"UpstreamPathTemplate": "/user/{postId}", |
||||
|
"DownstreamPathTemplate": "/search?q=/{postId}", |
||||
|
"DownstreamScheme": "https", |
||||
|
"DownstreamHostAndPorts": [ |
||||
|
{ |
||||
|
"Host": "localhost", |
||||
|
"Port": 443 |
||||
|
} |
||||
|
], |
||||
|
"QoSOptions": { |
||||
|
"TimeoutValue": 5000 |
||||
|
}, |
||||
|
//"ServiceName": "auth", |
||||
|
"LoadBalancerOptions": { |
||||
|
"Type": "LeastConnection" |
||||
|
}, |
||||
|
"AuthenticationOptions": { |
||||
|
"AuthenticationProviderKey": "MyKey", |
||||
|
"AllowedScopes": [ "all" ] |
||||
|
} |
||||
|
}, |
||||
|
{ |
||||
|
"UpstreamHttpMethod": [ "Get" ], |
||||
|
"UpstreamPathTemplate": "/{url}", |
||||
|
"DownstreamPathTemplate": "/search?q={url}", |
||||
|
"DownstreamScheme": "https", |
||||
|
"DownstreamHostAndPorts": [ |
||||
|
{ |
||||
|
"Host": "cn.bing.com", |
||||
|
"Port": 443 |
||||
|
} |
||||
|
] |
||||
|
} |
||||
|
], |
||||
|
"GlobalConfiguration": { |
||||
|
"BaseUrl": "https://api.mybusiness.com", |
||||
|
"RequestIdKey": "TraceId" |
||||
|
//"ServiceDiscoveryProvider": { |
||||
|
// "Scheme": "https", |
||||
|
// "Host": "localhost", |
||||
|
// "Port": 8500, |
||||
|
// "Type": "Consul" |
||||
|
//} |
||||
|
}, |
||||
|
"RolesAuthorizer": { |
||||
|
"Type": "http", |
||||
|
"Url": "http://auth.huixin.com/api/authorizer", |
||||
|
"Timeout": 2000 |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,15 @@ |
|||||
|
{ |
||||
|
"Serilog": { |
||||
|
"WriteTo": [ |
||||
|
{ |
||||
|
"Name": "File", |
||||
|
"Args": { |
||||
|
"path": "./Logs/gateway.txt", |
||||
|
"rollingInterval": "Day", |
||||
|
"fileSizeLimitBytes": 20971520 |
||||
|
} |
||||
|
}, |
||||
|
{ "Name": "Console" } |
||||
|
] |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
namespace HuiXin.Gateway.Ocelot.Configurations |
||||
|
{ |
||||
|
public class RolesAuthorizerConfiguration |
||||
|
{ |
||||
|
public string Type { get; set; } |
||||
|
public string Url { get; set; } |
||||
|
public int Timeout { get; set; } |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,46 @@ |
|||||
|
using Microsoft.AspNetCore.Authentication.JwtBearer; |
||||
|
using Microsoft.IdentityModel.Tokens; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Extensions |
||||
|
{ |
||||
|
public static class JWTExtensions |
||||
|
{ |
||||
|
public static IServiceCollection AddJWT(this IServiceCollection services, IConfiguration configuration) |
||||
|
{ |
||||
|
services.AddAuthentication(options => |
||||
|
{ |
||||
|
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; |
||||
|
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; |
||||
|
}).AddJwtBearer(configuration.GetValue<string>("AuthenticationScheme") ?? throw new Exception("jwt的参数AuthenticationScheme未配置,请在jwt.json文件中配置"), options => |
||||
|
{ |
||||
|
//options.Authority = cfgJwt.GetValue<string>("Authority"); // OpenIddict服务端地址
|
||||
|
//options.BackchannelTimeout = TimeSpan.FromMilliseconds(300);
|
||||
|
options.RequireHttpsMetadata = false; |
||||
|
options.Audience = configuration.GetValue<string>("Audience"); // 与OpenIddict中定义的Audience匹配
|
||||
|
options.TokenValidationParameters = new TokenValidationParameters |
||||
|
{ |
||||
|
ValidateIssuerSigningKey = false, |
||||
|
IssuerSigningKey = new SymmetricSecurityKey(Convert.FromBase64String(configuration.GetValue<string>("IssuerSigningKeyBase64") ?? throw new Exception("jwt的参数IssuerSigningKeyBase64未配置,请在jwt.json文件中配置"))), |
||||
|
ValidateIssuer = false, |
||||
|
//ValidIssuer = "YOUR_ISSUER",
|
||||
|
ValidateAudience = false, |
||||
|
//ValidAudience = "YOUR_AUDIENCE",
|
||||
|
ValidateLifetime = true, |
||||
|
// 忽略 kid 参数
|
||||
|
ValidateTokenReplay = false, |
||||
|
}; |
||||
|
}); |
||||
|
services.AddAuthorization(); |
||||
|
|
||||
|
return services; |
||||
|
} |
||||
|
|
||||
|
public static IApplicationBuilder UseJWT(this WebApplication app) |
||||
|
{ |
||||
|
app.UseAuthentication(); |
||||
|
app.UseAuthorization(); |
||||
|
|
||||
|
return app; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,64 @@ |
|||||
|
using HuiXin.Gateway.Ocelot.Authorizers; |
||||
|
using HuiXin.Gateway.Ocelot.Configurations; |
||||
|
using HuiXin.Gateway.Ocelot.Middlewares; |
||||
|
using Ocelot.Authorization; |
||||
|
using Ocelot.DependencyInjection; |
||||
|
using Ocelot.Infrastructure.Claims.Parser; |
||||
|
using Ocelot.Middleware; |
||||
|
using Ocelot.Provider.Consul; |
||||
|
using System.Security.Claims; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Extensions |
||||
|
{ |
||||
|
public static class OcelotExtensions |
||||
|
{ |
||||
|
public static IServiceCollection AddMyOcelot(this IServiceCollection services, IConfiguration configuration) |
||||
|
{ |
||||
|
services.AddOcelot().AddConsul(); |
||||
|
|
||||
|
services.AddSingleton<IRolesAuthorizer, HttpRolesAuthorizer>(); |
||||
|
services.Configure<RolesAuthorizerConfiguration>(configuration.GetSection("RolesAuthorizer")); |
||||
|
|
||||
|
return services; |
||||
|
} |
||||
|
|
||||
|
public static IApplicationBuilder UseMyOcelot(this WebApplication app) |
||||
|
{ |
||||
|
app.UseMiddleware<AccessLoggingMiddleware>(); |
||||
|
|
||||
|
app.UseOcelot(new OcelotPipelineConfiguration |
||||
|
{ |
||||
|
PreQueryStringBuilderMiddleware = async (context, next) => |
||||
|
{ |
||||
|
var claimsParser = app.Services.GetRequiredService<IClaimsParser>(); |
||||
|
var values = claimsParser.GetValuesByClaimType(context.User.Claims, ClaimsIdentity.DefaultRoleClaimType); |
||||
|
if (values.IsError) |
||||
|
{ |
||||
|
context.Items.UpsertErrors(values.Errors); |
||||
|
return; |
||||
|
} |
||||
|
if (values.Data == null || values.Data.Count == 0) |
||||
|
{ |
||||
|
context.Items.SetError(new UserDoesNotHaveClaimError("token中未包含角色信息")); |
||||
|
return; |
||||
|
} |
||||
|
var downstreamRoute = context.Items.DownstreamRoute(); |
||||
|
var url = downstreamRoute.DownstreamPathTemplate.Value; |
||||
|
context.Items.TemplatePlaceholderNameAndValues().ForEach(nv => |
||||
|
{ |
||||
|
url = url.Replace(nv.Name, nv.Value); |
||||
|
}); |
||||
|
var rolesAuthorizer = app.Services.GetRequiredService<IRolesAuthorizer>(); |
||||
|
var result = await rolesAuthorizer.Authorize(values.Data, url); |
||||
|
if (result.IsError) |
||||
|
{ |
||||
|
context.Items.UpsertErrors(result.Errors); |
||||
|
return; |
||||
|
} |
||||
|
await next.Invoke(); |
||||
|
} |
||||
|
}).Wait(); |
||||
|
return app; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,23 @@ |
|||||
|
<Project Sdk="Microsoft.NET.Sdk.Web"> |
||||
|
|
||||
|
<PropertyGroup> |
||||
|
<TargetFramework>net8.0</TargetFramework> |
||||
|
<Nullable>enable</Nullable> |
||||
|
<ImplicitUsings>enable</ImplicitUsings> |
||||
|
</PropertyGroup> |
||||
|
|
||||
|
<ItemGroup> |
||||
|
<PackageReference Include="Flurl.Http" Version="4.0.2" /> |
||||
|
<PackageReference Include="JWT" Version="10.1.1" /> |
||||
|
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.3" /> |
||||
|
<PackageReference Include="Ocelot" Version="23.1.0" /> |
||||
|
<PackageReference Include="Ocelot.Provider.Consul" Version="23.1.0" /> |
||||
|
<PackageReference Include="Ocelot.Provider.Polly" Version="23.1.0" /> |
||||
|
<PackageReference Include="Serilog.AspNetCore" Version="8.0.1" /> |
||||
|
<PackageReference Include="Serilog.Settings.Configuration" Version="8.0.0" /> |
||||
|
<PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" /> |
||||
|
<PackageReference Include="Serilog.Sinks.File" Version="5.0.0" /> |
||||
|
<PackageReference Include="Yitter.IdGenerator" Version="1.0.14" /> |
||||
|
</ItemGroup> |
||||
|
|
||||
|
</Project> |
||||
@ -0,0 +1,64 @@ |
|||||
|
using Microsoft.IdentityModel.Tokens; |
||||
|
using System.IdentityModel.Tokens.Jwt; |
||||
|
using System.Security.Claims; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot |
||||
|
{ |
||||
|
public class JWTUtil |
||||
|
{ |
||||
|
|
||||
|
/// <summary>
|
||||
|
/// 创建token
|
||||
|
/// </summary>
|
||||
|
/// <returns></returns>
|
||||
|
public static string CreateJwtToken(IDictionary<string, object> payload, string secret, IDictionary<string, string> extraHeaders = null) |
||||
|
{ |
||||
|
//IJwtEncoder encoder = new JwtEncoder(new HMACSHA256Algorithm(), new JsonNetSerializer(), new JwtBase64UrlEncoder());
|
||||
|
//var token = encoder.Encode(extraHeaders,payload, secret);
|
||||
|
//return token;
|
||||
|
|
||||
|
Claim[] claims = new Claim[] |
||||
|
{ |
||||
|
new Claim("Id", "aaa"), |
||||
|
new Claim("Name", "bbb"), |
||||
|
new Claim("Email", "ccc"), |
||||
|
}; |
||||
|
|
||||
|
var securityKey = new SymmetricSecurityKey(Convert.FromBase64String("GcTdqSZdpRxBtdtgwvDHBzS427VGTQzbM+JD1CBbUZY=")); |
||||
|
|
||||
|
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256); |
||||
|
|
||||
|
|
||||
|
var header = new JwtHeader(signingCredentials); |
||||
|
//header.Add("typ", "JWT"); // 默认情况下,typ通常是"JWT",但你可以明确设置它
|
||||
|
//header.Add("kid", "MyKey");
|
||||
|
//header.Add("key", "MyKey");
|
||||
|
//header.Add("keyid", "MyKey");
|
||||
|
|
||||
|
// 设置JWT载荷(payload)
|
||||
|
var payload1 = new JwtPayload |
||||
|
{ |
||||
|
//{ "kid", "MyKey" },
|
||||
|
//{ "key", "MyKey" },
|
||||
|
//{ "keyid", "MyKey" },
|
||||
|
{ "issuer",""}, |
||||
|
{ "sub", "1234567890" }, |
||||
|
{ "name", "测试用户" }, |
||||
|
{ "role", new []{"test","admin" } }, |
||||
|
{ "scope",new []{"all" } }, |
||||
|
{ "iat", ToUnixTime(DateTime.Now)}, |
||||
|
{ "exp", ToUnixTime(DateTime.Now.AddDays(1)) } |
||||
|
}; |
||||
|
|
||||
|
// 创建JwtSecurityToken实例并结合header和payload
|
||||
|
var jwt = new JwtSecurityToken(header, payload1); |
||||
|
return new JwtSecurityTokenHandler().WriteToken(jwt); |
||||
|
} |
||||
|
|
||||
|
private static long ToUnixTime(DateTime dt) |
||||
|
{ |
||||
|
DateTime epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); |
||||
|
return (long)(dt.ToUniversalTime() - epoch).TotalMilliseconds; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,132 @@ |
|||||
|
using Microsoft.AspNetCore.Http.Extensions; |
||||
|
using Ocelot.RequestId; |
||||
|
using Serilog; |
||||
|
using System.Diagnostics; |
||||
|
using System.Text; |
||||
|
using Yitter.IdGenerator; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Middlewares |
||||
|
{ |
||||
|
public class AccessLoggingMiddleware |
||||
|
{ |
||||
|
private readonly RequestDelegate _next; |
||||
|
|
||||
|
public AccessLoggingMiddleware(RequestDelegate next) |
||||
|
{ |
||||
|
_next = next; |
||||
|
} |
||||
|
|
||||
|
public async Task InvokeAsync(HttpContext context) |
||||
|
{ |
||||
|
var traceIdKey = DefaultRequestIdKey.Value; |
||||
|
var traceId = YitIdHelper.NextId().ToString(); |
||||
|
context.TraceIdentifier = traceId; |
||||
|
context.Request.Headers[traceIdKey] = traceId; |
||||
|
|
||||
|
var sw = Stopwatch.StartNew(); |
||||
|
sw.Start(); |
||||
|
|
||||
|
var sb = new StringBuilder(); |
||||
|
|
||||
|
sb.AppendLine(); |
||||
|
sb.AppendLine("-------------------Request Start-------------------"); |
||||
|
sb.AppendLine(DateTime.Now.ToString()); |
||||
|
sb.AppendLine($"追踪id:{traceId}"); |
||||
|
sb.AppendLine($"地址:{context.Request.GetDisplayUrl()}"); |
||||
|
sb.AppendLine("请求头:"); |
||||
|
foreach (var header in context.Request.Headers) |
||||
|
{ |
||||
|
sb.AppendLine($"{header.Key}:{header.Value}"); |
||||
|
} |
||||
|
sb.AppendLine($"数据:{await GetRequestBody(context.Request)}"); |
||||
|
sb.AppendLine("===================Request End==================="); |
||||
|
|
||||
|
Log.Information(sb.ToString()); |
||||
|
sb.Clear(); |
||||
|
|
||||
|
//Copy a pointer to the original response body stream
|
||||
|
var originalBodyStream = context.Response.Body; |
||||
|
|
||||
|
//Create a new memory stream...
|
||||
|
using var responseBody = new MemoryStream(); |
||||
|
//...and use that for the temporary response body
|
||||
|
context.Response.Body = responseBody; |
||||
|
|
||||
|
//Continue down the Middleware pipeline, eventually returning to this class
|
||||
|
await _next(context); |
||||
|
|
||||
|
//Format the response from the server
|
||||
|
//var response = await FormatResponse(context.Response);
|
||||
|
sb.AppendLine(); |
||||
|
sb.AppendLine("-------------------Response Start-------------------"); |
||||
|
sb.AppendLine(DateTime.Now.ToString()); |
||||
|
sb.AppendLine($"追踪id:{traceId}"); |
||||
|
sb.AppendLine($"耗时:{sw.ElapsedMilliseconds}毫秒"); |
||||
|
sb.AppendLine($"状态码:{context.Response.StatusCode}"); |
||||
|
//sb.AppendLine("Headers: ");
|
||||
|
//foreach (var header in context.Response.Headers)
|
||||
|
//{
|
||||
|
// sb.AppendLine($"{header.Key}:{header.Value}");
|
||||
|
//}
|
||||
|
sb.AppendLine($"数据:{await GetResponseBody(context.Response)}"); |
||||
|
sb.AppendLine("===================Response End==================="); |
||||
|
|
||||
|
//Save log to chosen datastore
|
||||
|
Log.Information(sb.ToString()); |
||||
|
|
||||
|
sb.Clear(); |
||||
|
|
||||
|
//Copy the contents of the new memory stream (which contains the response) to the original stream, which is then returned to the client.
|
||||
|
await responseBody.CopyToAsync(originalBodyStream); |
||||
|
} |
||||
|
|
||||
|
private static async Task<string> GetRequestBody(HttpRequest request) |
||||
|
{ |
||||
|
request.EnableBuffering(); |
||||
|
// Leave the body open so the next middleware can read it.
|
||||
|
using var reader = new StreamReader( |
||||
|
request.Body, |
||||
|
encoding: Encoding.UTF8, |
||||
|
detectEncodingFromByteOrderMarks: false, |
||||
|
leaveOpen: true); |
||||
|
var body = await reader.ReadToEndAsync(); |
||||
|
// Do some processing with body…
|
||||
|
|
||||
|
//var formattedRequest = $"{request.Scheme} {request.Host}{request.Path} {request.QueryString} {body}";
|
||||
|
|
||||
|
// Reset the request body stream position so the next middleware can read it
|
||||
|
request.Body.Position = 0; |
||||
|
|
||||
|
return body; |
||||
|
} |
||||
|
|
||||
|
private static async Task<string> GetResponseBody(HttpResponse response) |
||||
|
{ |
||||
|
//We need to read the response stream from the beginning...
|
||||
|
response.Body.Seek(0, SeekOrigin.Begin); |
||||
|
|
||||
|
//...and copy it into a string
|
||||
|
string text = await new StreamReader(response.Body).ReadToEndAsync(); |
||||
|
|
||||
|
//We need to reset the reader for the response so that the client can read it.
|
||||
|
response.Body.Seek(0, SeekOrigin.Begin); |
||||
|
|
||||
|
//Return the string for the response, including the status code (e.g. 200, 404, 401, etc.)
|
||||
|
//return $"{response.StatusCode}: {text}";
|
||||
|
return text; |
||||
|
} |
||||
|
|
||||
|
static AccessLoggingMiddleware() |
||||
|
{ |
||||
|
// 创建 IdGeneratorOptions 对象,可在构造函数中输入 WorkerId:
|
||||
|
var options = new IdGeneratorOptions(); |
||||
|
// options.WorkerIdBitLength = 10; // 默认值6,限定 WorkerId 最大值为2^6-1,即默认最多支持64个节点。
|
||||
|
// options.SeqBitLength = 6; // 默认值6,限制每毫秒生成的ID个数。若生成速度超过5万个/秒,建议加大 SeqBitLength 到 10。
|
||||
|
// options.BaseTime = Your_Base_Time; // 如果要兼容老系统的雪花算法,此处应设置为老系统的BaseTime。
|
||||
|
// ...... 其它参数参考 IdGeneratorOptions 定义。
|
||||
|
|
||||
|
// 保存参数(务必调用,否则参数设置不生效):
|
||||
|
YitIdHelper.SetIdGenerator(options); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,34 @@ |
|||||
|
using Ocelot.Infrastructure.Claims.Parser; |
||||
|
using Ocelot.Logging; |
||||
|
using Ocelot.Middleware; |
||||
|
using Ocelot.Responses; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot.Middlewares |
||||
|
{ |
||||
|
public class MyAuthorizationMiddleware : OcelotMiddleware |
||||
|
{ |
||||
|
private readonly RequestDelegate _next; |
||||
|
private readonly IClaimsParser _claimsParser; |
||||
|
|
||||
|
public MyAuthorizationMiddleware(RequestDelegate next, |
||||
|
IClaimsParser claimsParser, |
||||
|
IOcelotLoggerFactory loggerFactory) |
||||
|
: base(loggerFactory.CreateLogger<MyAuthorizationMiddleware>()) |
||||
|
{ |
||||
|
_next = next; |
||||
|
_claimsParser = claimsParser; |
||||
|
} |
||||
|
|
||||
|
public async Task Invoke(HttpContext httpContext) |
||||
|
{ |
||||
|
Authorize(httpContext); |
||||
|
await _next.Invoke(httpContext); |
||||
|
} |
||||
|
|
||||
|
public Response<bool> Authorize(HttpContext httpContext) |
||||
|
{ |
||||
|
var values = _claimsParser.GetValuesByClaimType(httpContext.User.Claims, "role"); |
||||
|
return new OkResponse<bool>(true); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,78 @@ |
|||||
|
using HuiXin.Gateway.Ocelot.Extensions; |
||||
|
using Serilog; |
||||
|
using System.Security.Cryptography; |
||||
|
|
||||
|
namespace HuiXin.Gateway.Ocelot |
||||
|
{ |
||||
|
public class Program |
||||
|
{ |
||||
|
public static void Main(string[] args) |
||||
|
{ |
||||
|
//BuildJwt();
|
||||
|
|
||||
|
var configuration = new ConfigurationBuilder() |
||||
|
.AddJsonFile("Configs/ocelot.json", false, true) |
||||
|
.AddJsonFile("Configs/jwt.json", false, false) |
||||
|
.AddJsonFile("Configs/serilog.json", false, true) |
||||
|
.Build(); |
||||
|
|
||||
|
var logger = new LoggerConfiguration() |
||||
|
.ReadFrom.Configuration(configuration) |
||||
|
.CreateLogger(); |
||||
|
Log.Logger = logger; |
||||
|
|
||||
|
try |
||||
|
{ |
||||
|
var builder = WebApplication.CreateBuilder(args); |
||||
|
|
||||
|
builder.Configuration.AddConfiguration(configuration); |
||||
|
|
||||
|
var services = builder.Services; |
||||
|
|
||||
|
services.AddCors(); |
||||
|
services.AddLogging(loggingBuilder => loggingBuilder.ClearProviders().AddSerilog()); |
||||
|
|
||||
|
services.AddJWT(configuration); |
||||
|
|
||||
|
services.AddMyOcelot(configuration); |
||||
|
|
||||
|
var app = builder.Build(); |
||||
|
|
||||
|
app.UseCors(); |
||||
|
app.UseJWT(); |
||||
|
|
||||
|
app.UseMyOcelot(); |
||||
|
|
||||
|
app.Run(); |
||||
|
|
||||
|
Log.Information("系统已启动"); |
||||
|
} |
||||
|
catch (Exception ex) |
||||
|
{ |
||||
|
Log.Fatal(ex, "系统异常"); |
||||
|
} |
||||
|
finally |
||||
|
{ |
||||
|
Log.CloseAndFlush(); |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
static void BuildJwt() |
||||
|
{ |
||||
|
using var aes = Aes.Create(); |
||||
|
aes.KeySize = 256; |
||||
|
aes.GenerateKey(); |
||||
|
var sign = Convert.ToBase64String(aes.Key); |
||||
|
var extraHeaders = new Dictionary<string, string> { { "kid", "MyKey" } }; |
||||
|
//过期时间(可以不设置,下面表示签名后 10秒过期)
|
||||
|
double exp = (DateTime.UtcNow.AddDays(10) - new DateTime(1970, 1, 1)).TotalSeconds; |
||||
|
var payload = new Dictionary<string, object> |
||||
|
{ |
||||
|
{ "userId", "001" }, |
||||
|
{ "userAccount", "fan" }, |
||||
|
{ "exp",exp } |
||||
|
}; |
||||
|
Console.WriteLine("Token:" + JWTUtil.CreateJwtToken(payload, sign, extraHeaders)); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,30 @@ |
|||||
|
{ |
||||
|
"$schema": "http://json.schemastore.org/launchsettings.json", |
||||
|
"iisSettings": { |
||||
|
"windowsAuthentication": false, |
||||
|
"anonymousAuthentication": true, |
||||
|
"iisExpress": { |
||||
|
"applicationUrl": "http://localhost:21406", |
||||
|
"sslPort": 0 |
||||
|
} |
||||
|
}, |
||||
|
"profiles": { |
||||
|
"http": { |
||||
|
"commandName": "Project", |
||||
|
"dotnetRunMessages": true, |
||||
|
"launchBrowser": true, |
||||
|
"applicationUrl": "http://localhost:5000", |
||||
|
"launchUrl": "user/getById", |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
}, |
||||
|
"IIS Express": { |
||||
|
"commandName": "IISExpress", |
||||
|
"launchBrowser": true, |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning", |
||||
|
"Ocelot": "Error" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning" |
||||
|
} |
||||
|
}, |
||||
|
"AllowedHosts": "*" |
||||
|
} |
||||
@ -0,0 +1,13 @@ |
|||||
|
<Project Sdk="Microsoft.NET.Sdk.Web"> |
||||
|
|
||||
|
<PropertyGroup> |
||||
|
<TargetFramework>net8.0</TargetFramework> |
||||
|
<Nullable>enable</Nullable> |
||||
|
<ImplicitUsings>enable</ImplicitUsings> |
||||
|
</PropertyGroup> |
||||
|
|
||||
|
<ItemGroup> |
||||
|
<PackageReference Include="Yarp.ReverseProxy" Version="2.1.0" /> |
||||
|
</ItemGroup> |
||||
|
|
||||
|
</Project> |
||||
@ -0,0 +1,15 @@ |
|||||
|
namespace HuiXin.Gateway.Yarp |
||||
|
{ |
||||
|
public class Program |
||||
|
{ |
||||
|
public static void Main(string[] args) |
||||
|
{ |
||||
|
var builder = WebApplication.CreateBuilder(args); |
||||
|
var app = builder.Build(); |
||||
|
|
||||
|
app.MapGet("/", () => "Hello World!"); |
||||
|
|
||||
|
app.Run(); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,29 @@ |
|||||
|
{ |
||||
|
"$schema": "http://json.schemastore.org/launchsettings.json", |
||||
|
"iisSettings": { |
||||
|
"windowsAuthentication": false, |
||||
|
"anonymousAuthentication": true, |
||||
|
"iisExpress": { |
||||
|
"applicationUrl": "http://localhost:17782", |
||||
|
"sslPort": 0 |
||||
|
} |
||||
|
}, |
||||
|
"profiles": { |
||||
|
"http": { |
||||
|
"commandName": "Project", |
||||
|
"dotnetRunMessages": true, |
||||
|
"launchBrowser": true, |
||||
|
"applicationUrl": "http://localhost:5167", |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
}, |
||||
|
"IIS Express": { |
||||
|
"commandName": "IISExpress", |
||||
|
"launchBrowser": true, |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,8 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning" |
||||
|
} |
||||
|
}, |
||||
|
"AllowedHosts": "*" |
||||
|
} |
||||
@ -0,0 +1,37 @@ |
|||||
|
|
||||
|
Microsoft Visual Studio Solution File, Format Version 12.00 |
||||
|
# Visual Studio Version 17 |
||||
|
VisualStudioVersion = 17.9.34622.214 |
||||
|
MinimumVisualStudioVersion = 10.0.40219.1 |
||||
|
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "HuiXin.Gateway.Ocelot", "HuiXin.Gateway.Ocelot\HuiXin.Gateway.Ocelot.csproj", "{2E2162C5-FC45-478B-83D4-14148477D627}" |
||||
|
EndProject |
||||
|
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "HuiXin.Identity.OpenIddict", "HuiXin.Identity.OpenIddict\HuiXin.Identity.OpenIddict.csproj", "{819D01DC-9EFE-427E-B73E-9022DC7843EC}" |
||||
|
EndProject |
||||
|
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HuiXin.Gateway.Yarp", "HuiXin.Gateway.Yarp\HuiXin.Gateway.Yarp.csproj", "{55A12844-A4CE-407A-BD7C-94469AA407F0}" |
||||
|
EndProject |
||||
|
Global |
||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution |
||||
|
Debug|Any CPU = Debug|Any CPU |
||||
|
Release|Any CPU = Release|Any CPU |
||||
|
EndGlobalSection |
||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution |
||||
|
{2E2162C5-FC45-478B-83D4-14148477D627}.Debug|Any CPU.ActiveCfg = Debug|Any CPU |
||||
|
{2E2162C5-FC45-478B-83D4-14148477D627}.Debug|Any CPU.Build.0 = Debug|Any CPU |
||||
|
{2E2162C5-FC45-478B-83D4-14148477D627}.Release|Any CPU.ActiveCfg = Release|Any CPU |
||||
|
{2E2162C5-FC45-478B-83D4-14148477D627}.Release|Any CPU.Build.0 = Release|Any CPU |
||||
|
{819D01DC-9EFE-427E-B73E-9022DC7843EC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU |
||||
|
{819D01DC-9EFE-427E-B73E-9022DC7843EC}.Debug|Any CPU.Build.0 = Debug|Any CPU |
||||
|
{819D01DC-9EFE-427E-B73E-9022DC7843EC}.Release|Any CPU.ActiveCfg = Release|Any CPU |
||||
|
{819D01DC-9EFE-427E-B73E-9022DC7843EC}.Release|Any CPU.Build.0 = Release|Any CPU |
||||
|
{55A12844-A4CE-407A-BD7C-94469AA407F0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU |
||||
|
{55A12844-A4CE-407A-BD7C-94469AA407F0}.Debug|Any CPU.Build.0 = Debug|Any CPU |
||||
|
{55A12844-A4CE-407A-BD7C-94469AA407F0}.Release|Any CPU.ActiveCfg = Release|Any CPU |
||||
|
{55A12844-A4CE-407A-BD7C-94469AA407F0}.Release|Any CPU.Build.0 = Release|Any CPU |
||||
|
EndGlobalSection |
||||
|
GlobalSection(SolutionProperties) = preSolution |
||||
|
HideSolutionNode = FALSE |
||||
|
EndGlobalSection |
||||
|
GlobalSection(ExtensibilityGlobals) = postSolution |
||||
|
SolutionGuid = {8F9B214D-FFA3-4E2C-8103-6A92331507EA} |
||||
|
EndGlobalSection |
||||
|
EndGlobal |
||||
@ -0,0 +1,12 @@ |
|||||
|
using Microsoft.EntityFrameworkCore; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict |
||||
|
{ |
||||
|
public class ApplicationDbContext : DbContext |
||||
|
{ |
||||
|
public ApplicationDbContext(DbContextOptions options) |
||||
|
: base(options) |
||||
|
{ |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,357 @@ |
|||||
|
using Microsoft.AspNetCore; |
||||
|
using Microsoft.AspNetCore.Authentication; |
||||
|
using Microsoft.AspNetCore.Mvc; |
||||
|
using Microsoft.Extensions.Primitives; |
||||
|
using Microsoft.IdentityModel.Tokens; |
||||
|
using Newtonsoft.Json; |
||||
|
using OpenIddict.Abstractions; |
||||
|
using OpenIddict.Server.AspNetCore; |
||||
|
using System.Collections.Immutable; |
||||
|
using System.Security.Claims; |
||||
|
using static OpenIddict.Abstractions.OpenIddictConstants; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict.Controllers |
||||
|
{ |
||||
|
[ApiController] |
||||
|
[Route("auth")] |
||||
|
public class AuthorizationController : Controller |
||||
|
{ |
||||
|
private readonly IOpenIddictApplicationManager _applicationManager; |
||||
|
private readonly IOpenIddictAuthorizationManager _authorizationManager; |
||||
|
private readonly IOpenIddictScopeManager _scopeManager; |
||||
|
|
||||
|
public AuthorizationController(IOpenIddictApplicationManager applicationManager, IOpenIddictAuthorizationManager authorizationManager, IOpenIddictScopeManager scopeManager) |
||||
|
{ |
||||
|
_applicationManager = applicationManager; |
||||
|
_scopeManager = scopeManager; |
||||
|
_authorizationManager = authorizationManager; |
||||
|
} |
||||
|
|
||||
|
/// <summary>
|
||||
|
/// 登录权限校验
|
||||
|
/// </summary>
|
||||
|
/// <returns></returns>
|
||||
|
/// <exception cref="InvalidOperationException"></exception>
|
||||
|
/// <exception cref="Exception"></exception>
|
||||
|
[HttpGet("connect/authorize")] |
||||
|
[IgnoreAntiforgeryToken] |
||||
|
public async Task<IActionResult> Authorize() |
||||
|
{ |
||||
|
// var s=await _schemeProvider.GetAllSchemesAsync();
|
||||
|
|
||||
|
//通过扩展的获取自定义的参数校验
|
||||
|
var request = HttpContext.GetOpenIddictServerRequest() ?? throw new InvalidOperationException("未获取到相关认证情况"); |
||||
|
|
||||
|
#region 存在登录凭证且明确了登录请求的行为
|
||||
|
// 存在登录凭证且明确了登录请求的行为
|
||||
|
if (request.HasPrompt(Prompts.Login)) |
||||
|
{ |
||||
|
//这里有个小坑,在Challenge之前必须把这个行为去掉 不然 Challenge 进入 /connect/authorize 路由陷入死循环
|
||||
|
var prompt = string.Join(" ", request.GetPrompts().Remove(Prompts.Login)); |
||||
|
var parameters = Request.HasFormContentType ? |
||||
|
Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() : |
||||
|
Request.Query.Where(parameter => parameter.Key != Parameters.Prompt).ToList(); |
||||
|
|
||||
|
parameters.Add(KeyValuePair.Create(Parameters.Prompt, new StringValues(prompt))); |
||||
|
|
||||
|
return Challenge( |
||||
|
authenticationSchemes: new[] { OpenIddictServerAspNetCoreDefaults.AuthenticationScheme }, // IdentityConstants.ApplicationScheme,
|
||||
|
properties: new AuthenticationProperties |
||||
|
{ |
||||
|
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(parameters) |
||||
|
}); |
||||
|
} |
||||
|
#endregion
|
||||
|
//检索本地的Cookies信息 确定重定向页面 这里都是UTC时间来设置的过期情况 这里没有用Identity 所以这里可以指定自己的应用名称
|
||||
|
var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); //IdentityConstants.ApplicationScheme
|
||||
|
#region 未获取本地Cookies信息或者 cookie过期的情况
|
||||
|
if (request == null || !result.Succeeded || (request.MaxAge != null && result.Properties?.IssuedUtc != null && |
||||
|
DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))) |
||||
|
{ |
||||
|
//是否是无效授权
|
||||
|
if (request.HasPrompt(Prompts.None)) |
||||
|
{ |
||||
|
return Forbid( |
||||
|
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, |
||||
|
properties: new AuthenticationProperties(new Dictionary<string, string?> |
||||
|
{ |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.LoginRequired, |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "用户未登录." |
||||
|
})); |
||||
|
} |
||||
|
return Challenge( |
||||
|
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, |
||||
|
properties: new AuthenticationProperties |
||||
|
{ |
||||
|
RedirectUri = Request.PathBase + Request.Path + QueryString.Create( |
||||
|
Request.HasFormContentType ? Request.Form.ToList() : Request.Query.ToList()) |
||||
|
}); |
||||
|
} |
||||
|
#endregion
|
||||
|
|
||||
|
|
||||
|
//var resultdata = _userService.GetLoginInfo(new Guid(result.Principal.GetClaim(Claims.Subject) ?? throw new Exception("用户标识存在"))) ?? throw new Exception("用户详细信息不存在");
|
||||
|
var resultdata = new UserInfo() |
||||
|
{ |
||||
|
Id = "user1", |
||||
|
UserName = "测试用户名", |
||||
|
NickName = "测试昵称", |
||||
|
}; |
||||
|
|
||||
|
// 获取客户端详细信息 验证其他数据
|
||||
|
var application = await _applicationManager.FindByClientIdAsync(request.ClientId) ?? throw new InvalidOperationException("未查找到该客户端的应用详细信息"); |
||||
|
|
||||
|
//查找当前情况客户端下请求用户的持久化授权数据信息
|
||||
|
var authorizations = _authorizationManager.FindAsync( |
||||
|
subject: resultdata.Id.ToString(), |
||||
|
client: await _applicationManager.GetIdAsync(application) ?? throw new Exception("没有找到客户端的应用信息"), //这里区分下 是application的Id而不是ClientId
|
||||
|
status: Statuses.Valid, |
||||
|
type: AuthorizationTypes.Permanent, |
||||
|
scopes: request.GetScopes() |
||||
|
).ToBlockingEnumerable();//.ToListAsync();
|
||||
|
|
||||
|
var consenttype = await _applicationManager.GetConsentTypeAsync(application); |
||||
|
//获取授权同意确认页面
|
||||
|
switch (consenttype) |
||||
|
{ |
||||
|
//判断授权同意的类型
|
||||
|
|
||||
|
//1 外部允许的且没有任何授权项
|
||||
|
case ConsentTypes.External when !authorizations.Any(): |
||||
|
return Forbid( |
||||
|
authenticationSchemes: new[] { OpenIddictServerAspNetCoreDefaults.AuthenticationScheme }, |
||||
|
properties: new AuthenticationProperties(new Dictionary<string, string?> |
||||
|
{ |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired, |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = |
||||
|
"登录用户没用访问该客户端应用的权限" |
||||
|
})); |
||||
|
|
||||
|
// 隐式、外部授权、显示模式模式
|
||||
|
case ConsentTypes.Implicit: |
||||
|
case ConsentTypes.External when authorizations.Any(): |
||||
|
case ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(Prompts.Consent): |
||||
|
|
||||
|
ClaimsPrincipal principal = CreateUserPrincpal(resultdata); |
||||
|
//设置请求的范围
|
||||
|
principal.SetScopes(request.GetScopes()); |
||||
|
|
||||
|
//查找scope允许访问的资源
|
||||
|
var resources = _scopeManager.ListResourcesAsync(principal.GetScopes()).ToBlockingEnumerable(); |
||||
|
//通过扩展设置不同的资源访问 其实本质都是设置Claims 只是 key 在 scope以及Resource上不同
|
||||
|
//Resource = "oi_rsrc";
|
||||
|
// Scope = "oi_scp";
|
||||
|
|
||||
|
principal.SetResources(resources); |
||||
|
|
||||
|
// 自动创建一个永久授权,以避免需要明确的同意 用于包含相同范围的未来授权或令牌请求
|
||||
|
var authorization = authorizations.LastOrDefault(); |
||||
|
if (authorization is null) |
||||
|
{ |
||||
|
authorization = await _authorizationManager.CreateAsync( |
||||
|
principal: principal, |
||||
|
subject: resultdata.Id.ToString(), |
||||
|
client: await _applicationManager.GetIdAsync(application), |
||||
|
type: AuthorizationTypes.Permanent, |
||||
|
scopes: principal.GetScopes()); |
||||
|
} |
||||
|
|
||||
|
principal.SetAuthorizationId(await _authorizationManager.GetIdAsync(authorization)); |
||||
|
|
||||
|
foreach (var claim in principal.Claims) |
||||
|
{ |
||||
|
claim.SetDestinations(GetDestinations(claim, principal)); |
||||
|
} |
||||
|
//登录 OpenIddict签发令牌
|
||||
|
return SignIn(principal, null, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); |
||||
|
|
||||
|
// At this point, no authorization was found in the database and an error must be returned
|
||||
|
// if the client application specified prompt=none in the authorization request.
|
||||
|
case ConsentTypes.Explicit when request.HasPrompt(Prompts.None): |
||||
|
case ConsentTypes.Systematic when request.HasPrompt(Prompts.None): |
||||
|
return Forbid( |
||||
|
authenticationSchemes: new[] { OpenIddictServerAspNetCoreDefaults.AuthenticationScheme }, |
||||
|
properties: new AuthenticationProperties(new Dictionary<string, string?> |
||||
|
{ |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.ConsentRequired, |
||||
|
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = |
||||
|
"Interactive user consent is required." |
||||
|
})); |
||||
|
|
||||
|
// In every other case, render the consent form.
|
||||
|
//default:
|
||||
|
// return View(new AuthorizeViewModel
|
||||
|
// {
|
||||
|
// ApplicationName = await _applicationManager.GetLocalizedDisplayNameAsync(application),
|
||||
|
// Scope = request.Scope
|
||||
|
// });
|
||||
|
default: |
||||
|
return Challenge( |
||||
|
authenticationSchemes: new[] { OpenIddictServerAspNetCoreDefaults.AuthenticationScheme }, |
||||
|
properties: new AuthenticationProperties { RedirectUri = "/" } |
||||
|
); |
||||
|
} |
||||
|
} |
||||
|
|
||||
|
|
||||
|
[HttpPost("connect/token"), Produces("application/json")] |
||||
|
public async Task<IActionResult> ConnectToken() |
||||
|
{ |
||||
|
var request = HttpContext.GetOpenIddictServerRequest() ?? throw new InvalidOperationException("OIDC请求不存在"); |
||||
|
|
||||
|
if (request.IsClientCredentialsGrantType()) |
||||
|
{ |
||||
|
// Note: the client credentials are automatically validated by OpenIddict:
|
||||
|
// if client_id or client_secret are invalid, this action won't be invoked.
|
||||
|
|
||||
|
var application = await _applicationManager.FindByClientIdAsync(request.ClientId); |
||||
|
if (application is null) |
||||
|
{ |
||||
|
Console.WriteLine($"client_id未注册:{request.ClientId}"); |
||||
|
throw new InvalidOperationException("The application cannot be found."); |
||||
|
} |
||||
|
Console.WriteLine($"获取到客户信息:{JsonConvert.SerializeObject(application)}"); |
||||
|
|
||||
|
// Create a new ClaimsIdentity containing the claims that
|
||||
|
// will be used to create an id_token, a token or a code.
|
||||
|
var identity = new ClaimsIdentity(TokenValidationParameters.DefaultAuthenticationType, Claims.Name, Claims.Role); |
||||
|
|
||||
|
// Use the client_id as the subject identifier.
|
||||
|
identity.SetClaim(Claims.Subject, await _applicationManager.GetClientIdAsync(application)); |
||||
|
identity.SetClaim(Claims.Name, await _applicationManager.GetDisplayNameAsync(application)); |
||||
|
|
||||
|
identity.SetDestinations(static claim => claim.Type switch |
||||
|
{ |
||||
|
// Allow the "name" claim to be stored in both the access and identity tokens
|
||||
|
// when the "profile" scope was granted (by calling principal.SetScopes(...)).
|
||||
|
Claims.Name when claim.Subject.HasScope(Scopes.Profile) |
||||
|
=> new[] { Destinations.AccessToken, Destinations.IdentityToken }, |
||||
|
|
||||
|
// Otherwise, only store the claim in the access tokens.
|
||||
|
_ => new[] { Destinations.AccessToken } |
||||
|
}); |
||||
|
//Console.WriteLine($"identity信息:{JsonConvert.SerializeObject(identity)}");
|
||||
|
|
||||
|
var result = SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); |
||||
|
//Console.WriteLine($"signIn信息:{JsonConvert.SerializeObject(result)}");
|
||||
|
return result; |
||||
|
} |
||||
|
else if (request.IsPasswordGrantType()) |
||||
|
{ |
||||
|
//数据库获取用户信息
|
||||
|
var princpal = CreateUserPrincpal(new UserInfo() |
||||
|
{ |
||||
|
Id = Guid.NewGuid().ToString(), |
||||
|
UserName = "测试用户名", |
||||
|
NickName = "测试昵称", |
||||
|
}); |
||||
|
//princpal.SetResources(_scopeManager.ListResourcesAsync(princpal.GetScopes()));
|
||||
|
|
||||
|
foreach (var claim in princpal.Claims) |
||||
|
{ |
||||
|
claim.SetDestinations(GetDestinations(claim, princpal)); |
||||
|
} |
||||
|
return SignIn(princpal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); |
||||
|
} |
||||
|
else if (request.IsAuthorizationCodeGrantType() || request.IsDeviceCodeGrantType() || request.IsRefreshTokenGrantType()) |
||||
|
{ |
||||
|
var principal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal; |
||||
|
//var user = _userService.GetLoginInfo(new Guid(principal?.GetClaim(Claims.Subject) ?? throw new Exception("用户标识存在")));
|
||||
|
//UserInfo user = null;
|
||||
|
//if (user == null)
|
||||
|
//{
|
||||
|
// return Forbid(
|
||||
|
// authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
|
||||
|
// properties: new AuthenticationProperties(new Dictionary<string, string?>
|
||||
|
// {
|
||||
|
// [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
|
||||
|
// [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "令牌已失效"
|
||||
|
// })
|
||||
|
// );
|
||||
|
//}
|
||||
|
foreach (var claim in principal.Claims) |
||||
|
{ |
||||
|
claim.SetDestinations(GetDestinations(claim, principal)); |
||||
|
} |
||||
|
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); |
||||
|
} |
||||
|
throw new InvalidOperationException($"不支持的grant_type:{request.GrantType}"); |
||||
|
} |
||||
|
|
||||
|
[HttpPost("connect/logout")] |
||||
|
public async Task<IActionResult> Logout() |
||||
|
{ |
||||
|
await HttpContext.SignOutAsync(); |
||||
|
return SignOut( |
||||
|
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, |
||||
|
properties: new AuthenticationProperties |
||||
|
{ |
||||
|
RedirectUri = "/" |
||||
|
}); |
||||
|
} |
||||
|
|
||||
|
public static ClaimsPrincipal CreateUserPrincpal(UserInfo user, string claimsIdentityName = "USERINFO") |
||||
|
{ |
||||
|
//登录成功流程
|
||||
|
ClaimsIdentity identity = new ClaimsIdentity(claimsIdentityName); |
||||
|
identity.AddClaim(new Claim(Claims.Subject, user.Id)); |
||||
|
identity.AddClaim(new Claim(Claims.Name, user.UserName)); |
||||
|
identity.AddClaim(new Claim(Claims.Nickname, user.NickName)); |
||||
|
return new ClaimsPrincipal(identity); |
||||
|
} |
||||
|
|
||||
|
private IEnumerable<string> GetDestinations(Claim claim) |
||||
|
{ |
||||
|
// Note: by default, claims are NOT automatically included in the access and identity tokens.
|
||||
|
// To allow OpenIddict to serialize them, you must attach them a destination, that specifies
|
||||
|
// whether they should be included in access tokens, in identity tokens or in both.
|
||||
|
|
||||
|
return claim.Type switch |
||||
|
{ |
||||
|
Claims.Name or |
||||
|
Claims.Subject |
||||
|
=> ImmutableArray.Create(Destinations.AccessToken, Destinations.IdentityToken), |
||||
|
|
||||
|
_ => ImmutableArray.Create(Destinations.AccessToken), |
||||
|
}; |
||||
|
} |
||||
|
|
||||
|
private IEnumerable<string> GetDestinations(Claim claim, ClaimsPrincipal principal) |
||||
|
{ |
||||
|
|
||||
|
switch (claim.Type) |
||||
|
{ |
||||
|
case Claims.Name: |
||||
|
yield return Destinations.AccessToken; |
||||
|
|
||||
|
if (principal.HasScope(Scopes.Profile)) |
||||
|
yield return Destinations.IdentityToken; |
||||
|
|
||||
|
yield break; |
||||
|
|
||||
|
case Claims.Email: |
||||
|
yield return Destinations.AccessToken; |
||||
|
|
||||
|
if (principal.HasScope(Scopes.Email)) |
||||
|
yield return Destinations.IdentityToken; |
||||
|
|
||||
|
yield break; |
||||
|
|
||||
|
case Claims.Role: |
||||
|
yield return Destinations.AccessToken; |
||||
|
|
||||
|
if (principal.HasScope(Scopes.Roles)) |
||||
|
yield return Destinations.IdentityToken; |
||||
|
|
||||
|
yield break; |
||||
|
|
||||
|
|
||||
|
case "AspNet.Identity.SecurityStamp": yield break; |
||||
|
|
||||
|
default: |
||||
|
yield return Destinations.AccessToken; |
||||
|
yield break; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,21 @@ |
|||||
|
using Microsoft.AspNetCore.Mvc; |
||||
|
using OpenIddict.Abstractions; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict.Controllers |
||||
|
{ |
||||
|
[ApiController] |
||||
|
[Route("user")] |
||||
|
public class UserController : Controller |
||||
|
{ |
||||
|
private readonly IOpenIddictApplicationManager _applicationManager; |
||||
|
private readonly IOpenIddictAuthorizationManager _authorizationManager; |
||||
|
private readonly IOpenIddictScopeManager _scopeManager; |
||||
|
|
||||
|
public UserController(IOpenIddictApplicationManager applicationManager, IOpenIddictAuthorizationManager authorizationManager, IOpenIddictScopeManager scopeManager) |
||||
|
{ |
||||
|
_applicationManager = applicationManager; |
||||
|
_scopeManager = scopeManager; |
||||
|
_authorizationManager = authorizationManager; |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,19 @@ |
|||||
|
<Project Sdk="Microsoft.NET.Sdk.Web"> |
||||
|
|
||||
|
<PropertyGroup> |
||||
|
<TargetFramework>net8.0</TargetFramework> |
||||
|
<Nullable>enable</Nullable> |
||||
|
<ImplicitUsings>enable</ImplicitUsings> |
||||
|
</PropertyGroup> |
||||
|
|
||||
|
<ItemGroup> |
||||
|
<PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="8.0.3" /> |
||||
|
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.3" /> |
||||
|
<PackageReference Include="MySql.EntityFrameworkCore" Version="8.0.0" /> |
||||
|
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> |
||||
|
<PackageReference Include="OpenIddict.AspNetCore" Version="5.3.0" /> |
||||
|
<PackageReference Include="OpenIddict.EntityFrameworkCore" Version="5.3.0" /> |
||||
|
<PackageReference Include="OpenIddict.Validation.AspNetCore" Version="5.3.0" /> |
||||
|
</ItemGroup> |
||||
|
|
||||
|
</Project> |
||||
@ -0,0 +1,108 @@ |
|||||
|
using Microsoft.AspNetCore.Identity; |
||||
|
using Microsoft.EntityFrameworkCore; |
||||
|
using Microsoft.IdentityModel.Tokens; |
||||
|
using OpenIddict.Validation.AspNetCore; |
||||
|
using System.Text; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict |
||||
|
{ |
||||
|
public class Program |
||||
|
{ |
||||
|
public static void Main(string[] args) |
||||
|
{ |
||||
|
var builder = WebApplication.CreateBuilder(args); |
||||
|
|
||||
|
// Add services to the container.
|
||||
|
builder.Services.AddCors(); |
||||
|
builder.Services.AddControllers(); |
||||
|
|
||||
|
builder.Services |
||||
|
.AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme) |
||||
|
.AddCookie(); |
||||
|
|
||||
|
builder.Services.AddDbContext<ApplicationDbContext>(options => |
||||
|
{ |
||||
|
//options.UseSqlite("DataSource=:memory:");
|
||||
|
options.UseMySQL("server=8.134.236.110;port=13306;database=openiddict;user=test;password=test") |
||||
|
.UseQueryTrackingBehavior(QueryTrackingBehavior.NoTracking); |
||||
|
|
||||
|
// Register the entity sets needed by OpenIddict.
|
||||
|
// Note: use the generic overload if you need to replace the default OpenIddict entities.
|
||||
|
options.UseOpenIddict(); |
||||
|
}); |
||||
|
|
||||
|
builder.Services.AddIdentity<UserInfo, IdentityRole>() |
||||
|
.AddEntityFrameworkStores<ApplicationDbContext>() |
||||
|
.AddDefaultTokenProviders(); |
||||
|
|
||||
|
builder.Services |
||||
|
.AddOpenIddict() |
||||
|
// Register the OpenIddict core components.
|
||||
|
.AddCore(options => |
||||
|
{ |
||||
|
// Configure OpenIddict to use the Entity Framework Core stores and models.
|
||||
|
// Note: call ReplaceDefaultEntities() to replace the default entities.
|
||||
|
options.UseEntityFrameworkCore() |
||||
|
.UseDbContext<ApplicationDbContext>(); |
||||
|
}) |
||||
|
// Register the OpenIddict server components.
|
||||
|
.AddServer(options => |
||||
|
{ |
||||
|
options.SetAccessTokenLifetime(TimeSpan.FromMinutes(5)); |
||||
|
options.SetIdentityTokenLifetime(TimeSpan.FromMinutes(5)); |
||||
|
options.SetRefreshTokenLifetime(TimeSpan.FromDays(365 * 100)); |
||||
|
|
||||
|
// Enable the token endpoint.
|
||||
|
options.SetTokenEndpointUris("auth/connect/token"); |
||||
|
options.SetAuthorizationEndpointUris("auth/connect/authorize"); |
||||
|
options.SetUserinfoEndpointUris("auth/connect/userinfo"); |
||||
|
options.SetLogoutEndpointUris("auth/connect/logout"); |
||||
|
|
||||
|
// Enable the client credentials flow.
|
||||
|
options.AllowClientCredentialsFlow(); |
||||
|
options.AllowAuthorizationCodeFlow(); |
||||
|
options.AllowPasswordFlow(); |
||||
|
options.AllowRefreshTokenFlow(); |
||||
|
|
||||
|
// Register the signing and encryption credentials.
|
||||
|
options.AddEncryptionKey(new SymmetricSecurityKey(Convert.FromBase64String("GcTdqSZdpRxBtdtgwvDHBzS427VGTQzbM+JD1CBbUZY="))); |
||||
|
options.AddDevelopmentSigningCertificate(); |
||||
|
|
||||
|
// Register the ASP.NET Core host and configure the ASP.NET Core options.
|
||||
|
options.UseAspNetCore() |
||||
|
.EnableTokenEndpointPassthrough() |
||||
|
.EnableAuthorizationEndpointPassthrough() |
||||
|
.EnableUserinfoEndpointPassthrough() |
||||
|
.EnableLogoutEndpointPassthrough() |
||||
|
.DisableTransportSecurityRequirement(); |
||||
|
|
||||
|
options.IgnoreEndpointPermissions(); |
||||
|
options.IgnoreGrantTypePermissions(); |
||||
|
options.IgnoreScopePermissions(); |
||||
|
options.IgnoreResponseTypePermissions(); |
||||
|
}) |
||||
|
// Register the OpenIddict validation components.
|
||||
|
.AddValidation(options => |
||||
|
{ |
||||
|
// Import the configuration from the local OpenIddict server instance.
|
||||
|
options.UseLocalServer(); |
||||
|
|
||||
|
// Register the ASP.NET Core host.
|
||||
|
options.UseAspNetCore(); |
||||
|
}); |
||||
|
builder.Services.AddHostedService<Worker>(); |
||||
|
|
||||
|
var app = builder.Build(); |
||||
|
|
||||
|
// Configure the HTTP request pipeline.
|
||||
|
|
||||
|
//app.UseHttpsRedirection();
|
||||
|
|
||||
|
app.UseAuthorization(); |
||||
|
|
||||
|
app.MapControllers(); |
||||
|
|
||||
|
app.Run(); |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,29 @@ |
|||||
|
{ |
||||
|
"$schema": "http://json.schemastore.org/launchsettings.json", |
||||
|
"iisSettings": { |
||||
|
"windowsAuthentication": false, |
||||
|
"anonymousAuthentication": true, |
||||
|
"iisExpress": { |
||||
|
"applicationUrl": "http://localhost:61533", |
||||
|
"sslPort": 0 |
||||
|
} |
||||
|
}, |
||||
|
"profiles": { |
||||
|
"http": { |
||||
|
"commandName": "Project", |
||||
|
"dotnetRunMessages": true, |
||||
|
"launchBrowser": true, |
||||
|
"applicationUrl": "http://localhost:5001", |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
}, |
||||
|
"IIS Express": { |
||||
|
"commandName": "IISExpress", |
||||
|
"launchBrowser": true, |
||||
|
"environmentVariables": { |
||||
|
"ASPNETCORE_ENVIRONMENT": "Development" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,11 @@ |
|||||
|
using Microsoft.AspNetCore.Identity; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict |
||||
|
{ |
||||
|
public class UserInfo : IdentityUser |
||||
|
{ |
||||
|
public string Id { get; set; } |
||||
|
public string UserName { get; set; } |
||||
|
public string NickName { get; set; } |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,41 @@ |
|||||
|
using OpenIddict.Abstractions; |
||||
|
|
||||
|
namespace HuiXin.Identity.OpenIddict |
||||
|
{ |
||||
|
public class Worker : IHostedService |
||||
|
{ |
||||
|
private readonly IServiceProvider _serviceProvider; |
||||
|
|
||||
|
public Worker(IServiceProvider serviceProvider) => _serviceProvider = serviceProvider; |
||||
|
|
||||
|
public async Task StartAsync(CancellationToken cancellationToken) |
||||
|
{ |
||||
|
using var scope = _serviceProvider.CreateScope(); |
||||
|
|
||||
|
var context = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>(); |
||||
|
await context.Database.EnsureCreatedAsync(cancellationToken); |
||||
|
|
||||
|
var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>(); |
||||
|
//var authManager = scope.ServiceProvider.GetRequiredService<IOpenIddictAuthorizationManager>();
|
||||
|
|
||||
|
var data = await manager.FindByClientIdAsync("apisix", cancellationToken) ?? await manager.CreateAsync( |
||||
|
new OpenIddictApplicationDescriptor |
||||
|
{ |
||||
|
ClientId = "apisix", |
||||
|
ClientSecret = "388D45FA-B36B-4988-BA59-B187D329C207", |
||||
|
DisplayName = "APISIX的测试客户", |
||||
|
Permissions = |
||||
|
{ |
||||
|
OpenIddictConstants.Permissions.Endpoints.Authorization, |
||||
|
OpenIddictConstants.Permissions.Endpoints.Logout, |
||||
|
OpenIddictConstants.Permissions.Endpoints.Token |
||||
|
}, |
||||
|
RedirectUris = { new Uri("http://8.134.191.93:9080/test/callback")}, |
||||
|
}, cancellationToken); |
||||
|
//await manager.DeleteAsync(data);
|
||||
|
Console.WriteLine($"APISIX的测试客户:{System.Text.Json.JsonSerializer.Serialize(data)}"); |
||||
|
} |
||||
|
|
||||
|
public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask; |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,8 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning" |
||||
|
} |
||||
|
} |
||||
|
} |
||||
@ -0,0 +1,9 @@ |
|||||
|
{ |
||||
|
"Logging": { |
||||
|
"LogLevel": { |
||||
|
"Default": "Information", |
||||
|
"Microsoft.AspNetCore": "Warning" |
||||
|
} |
||||
|
}, |
||||
|
"AllowedHosts": "*" |
||||
|
} |
||||
Loading…
Reference in new issue