1.新建项目
新建ASP .Net Core项目IdentityServer.EasyDemo.IdentityServer,选择.net core 2.0
1
2
引用IdentityServer4
3
2.定义Api资源
添加一个Config.cs文件,在其中定义Api资源
Api资源指上述的Api,可以有多个,在这里设置了,并且Api的配置与之匹配,IdentityServer才能识别那个Api
eg.IdentityServer项目的Api资源池里面有一个名叫"api1"的Api资源,Api项目中设置ApiName为"api1",则双方匹配
public static IEnumerable GetApiResources()
{
return new List
{
//参数是资源名称,资源显示名称
new ApiResource("api1", "My API")
};
}
3.定义客户端Client
继续在Config.cs中添加Client
Client指的是各个调用服务的客户端,可以有多个
用户要设置ClientId,这是它的唯一标志,在Client列表里面,ClientId不能重复,ClientSecrets是用来验证用户的密码,AllowedScopes记录了它的权限范围
注意:可以多个客户端共用一个ClientId,则对于IdentityServer来说,这些客户端都是一个"Client"。这个在你的客户端都具有相同的权限范围,或者说要求完全一样的时候,可以简化为这样。
public static IEnumerable GetClients()
{
return new List
{
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
// 用于验证的secret
ClientSecrets =
{
new Secret("secret".Sha256())
},
// 允许的范围
AllowedScopes = { "api1" }
}
};
}
4.配置IdentityServer
在services里面添加IdentityServer,并且将Api资源和Client集合放入内存,交给IdentityServer
public void ConfigureServices(IServiceCollection services)
{
//配置IdentityServer,包括把Api资源,Client集合,密钥保存在内存
services.AddIdentityServer()
//设置临时签名凭据
.AddDeveloperSigningCredential()
//从Config类里面读取刚刚定义的Api资源
.AddInMemoryApiResources(Config.GetApiResources())
//从Config类里面读取刚刚定义的Client集合
.AddInMemoryClients(Config.GetClients());
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseIdentityServer();
}
5.在属性中将IdentityServer项目的端口号设置为5000
1
6.查看IdentityServer的相关信息
通过这个网址查看:http://localhost:5000/.well-known/openid-configuration
2
{
"issuer": "http://localhost:5000",
"jwks_uri": "http://localhost:5000/.well-known/openid-configuration/jwks",
"authorization_endpoint": "http://localhost:5000/connect/authorize",
"token_endpoint": "http://localhost:5000/connect/token",
"userinfo_endpoint": "http://localhost:5000/connect/userinfo",
"end_session_endpoint": "http://localhost:5000/connect/endsession",
"check_session_iframe": "http://localhost:5000/connect/checksession",
"revocation_endpoint": "http://localhost:5000/connect/revocation",
"introspection_endpoint": "http://localhost:5000/connect/introspect",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"api1",
"offline_access"
],
"claims_supported": [],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}