Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use the sub-module protection resource API in Ids4, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

Following the book above, last time we mentioned that IdentityServer4 (hereinafter referred to as Ids4) has officially upgraded from v3 update to v4 version, and my Blog.Idp project has also been updated synchronously, mainly for the corresponding changes made to quickly start UI. After all, the update of the nuget package of Ids4 class library is an one-click thing.

The content of the update involves a lot, mainly to optimize some attributes, or to be more compatible with ASP.NetCore, and so on. I personally think the most core and important update is the addition of the ApiResourceScopes table, which further refines the granularity of the restrictions on the resource server. To sum up:

Previously, we are a client can only operate on a resource server, then all api under the resource server will be protected, of course, will be controlled. So it's for the whole ApiResources.

But now after refinement, a resource server can separate multiple scopes of Scope, so that we can define multiple clients and access the same unified resource server in modules.

For example, BlogVue project, visit Blog-related api;TibugNuxt project, visit Tibug-related api.

Here, do not rush to highlight the advantages and disadvantages of such expansion, and you will understand it when you need it, or when you have such a need. This article does not explain, but only explains how to configure the three ends of the shuttle, so as to meet the purpose of sub-module protection of resource API.

In this paper, I will use the http://vueblog.neters.club project as an example to define a Blog module in the Blog.Core resource server to realize the policy authorization scheme configuration based on Scope, mainly for the three ends.

1. Blog.Idp Certification Authority configuration

First we need to define a separate resource server scope, and then configure these scopes to the resource:

/ / v4 Update public static IEnumerable GetApiScopes () {return new ApiScope [] {new ApiScope ("blog.core.api"), new ApiScope ("blog.core.api.BlogModule"),};}

Public static IEnumerable GetApiResources () {/ / blog.core project return new List {new ApiResource ("blog.core.api", "Blog.Core API") {/ / include the following using claims in access token (in addition to subject id) / / requires using using IdentityModel UserClaims = {JwtClaimTypes.Name, JwtClaimTypes.Role, "rolename"}, / / v4 update Scopes= {"blog.core.api", "blog.core.api.BlogModule"}

ApiSecrets = new List () {new Secret ("api_secret" .Sha256 ())},}};}

I'm sure you can understand all this basic code, as long as you learn Ids4, you must understand it. When it comes to the database, it's like this:

Then we need to configure the client Client to assign the Scope we need to the specified client:

The corresponding database is also very simple:

Here to give you another long sentence, to learn Ids4, the database table structure must be well understood, what data corresponds to what table, what error corresponds to what configuration, to achieve a clear idea.

The certification authority is configured here, and the client is next.

2. Blog.Vue configure authentication connection

This place is simple, almost the same as before, except that on the scope scope, just change the domain of the resource:

Constructor () {super ({authority: 'https://ids.neters.club', client_id:' blogvuejs', redirect_uri: 'http://localhost:6688/callback', response_type:' id_token token', scope: 'openid profile roles blog.core.api.BlogModule', post_logout_redirect_uri:' http://localhost:6688'})}

This is the Scope of blog.core.api.BlogModule in the code.

That leaves the last step, to configure the resource server, and now that the scope Scope is used, you need to configure a specific policy scheme for the specific scope.

3. Blog.Core adds Scope policy authorization.

First of all, in order to achieve the effect of encapsulation, I wrote authentication and authorization separately. The structure is as follows:

Now that we have added the scope Scope, we need a policy authorization scheme based on Scope. In the authorization extension class AuthorizationSetup.cs, add the code:

/ / 4. Authorize services.AddAuthorization based on Scope policy (options = > {/ / Policy options.AddPolicy of blog module ("Scope_BlogModule_Policy", builder = > {/ / client Scope contains blog.core.api.BlogModule to access builder.RequireScope ("blog.core.api.BlogModule");})

/ / policies of other modules / /.

});

We can add multiple modules as needed, each module corresponds to a Scope, and each Scope corresponds to a client Client, so that the basic authorization scheme of the project is implemented, and the configuration related to authentication does not need to be changed.

Then you only need to configure the permission feature on the specified controller or Action:

We are almost done here. After debugging, we can find that the newly generated Token token has also changed:

You might say, then I've used complex database-based policy authorization, so why do I have to do this?

I think so. After all, this scope-oriented development can be controlled in ids4 and subdivided to the client. After this configuration, there is no need to configure complex databases. Of course, this is generally for the foreground display projects, and the back-end Admin projects definitely need very complex database configurations.

The above is all the contents of this article entitled "how to use API in Ids4". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.