3

IdentityServerV3用于为少数客户验证用户。我在配置IdentityServer特定user必须能够登录到特定“客户端”的方式时遇到问题。

让我们看下面的场景:

我有 2 个客户 -> client1, client2. 我有 3 个用户 -> user1, user2, user3.

user1&user2只能访问client1。而user3可以client2单独访问。

当我尝试client1使用user3身份服务器登录时,身份验证成功。这是我不想要的。

public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new[]
        {
            new Client 
            {
                Enabled = true,
                ClientName = "MVC Client",
                ClientId = "mvc",
                Flow = Flows.Hybrid,

                RedirectUris = new List<string>
                {
                    "https://localhost:44319/"
                }
            },
            new Client 
            {
                Enabled = true,
                ClientName = "MVC Client 2",
                ClientId = "mvc2",
                Flow = Flows.Hybrid,

                RedirectUris = new List<string>
                {
                    "https://localhost:44319/"
                }
            }
        };
    }
}

用户是:

public static class Users
{
    public static List<InMemoryUser> Get()
    {
        return new List<InMemoryUser>
        {
            new InMemoryUser
            {
                Username = "bob",
                Password = "secret",
                Subject = "1",

                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Bob"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Smith")
                }
            },
            new InMemoryUser
            {
                Username = "rob",
                Password = "secret",
                Subject = "2",

                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Rob"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Thompson")
                }
            },
            new InMemoryUser
            {
                Username = "Jerry",
                Password = "secret",
                Subject = "3",

                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Jerry"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Smith")
                }
            }
        };
    }
}

现在 OWIN 启动类是:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
            {
                idsrvApp.UseIdentityServer(new IdentityServerOptions
                {
                    SiteName = "Embedded IdentityServer",
                    SigningCertificate = LoadCertificate(),

                    Factory = InMemoryFactory.Create(
                        users  : Users.Get(),
                        clients: Clients.Get(),
                        scopes : StandardScopes.All)
                });
            });
    }

    X509Certificate2 LoadCertificate()
    {
        return new X509Certificate2(
            string.Format(@"{0}\bin\identityServer\idsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");
    }
}

我不知道如何IdentityServer知道哪个用户与哪个客户合作。是我的方案不受支持IdentityServer还是我遗漏了任何东西。

更新

    public class LocalRegistrationUserService : UserServiceBase
    {
        public class CustomUser
        {
            public string Subject { get; set; }
            public string Username { get; set; }
            public string Password { get; set; }
            public List<Claim> Claims { get; set; }
        }

        public static List<CustomUser> Users = new List<CustomUser>();

        public string ClientId { get; set; }

        public override Task AuthenticateLocalAsync(LocalAuthenticationContext context)
        {
            var user = Users.SingleOrDefault(x => x.Username == context.UserName && x.Password == context.Password);
            if (user != null)
            {
                context.AuthenticateResult = new AuthenticateResult(user.Subject, user.Username);
            }

            return Task.FromResult(0);
        }
}

While registering the user i am redirecting him to a controller in Identity Server Host.

 public class LocalRegistrationController : Controller
    {
        [Route("core/localregistration")]
        [HttpGet]
        public ActionResult Index(string signin)
        {
            return View();
        }

        [Route("core/localregistration")]
        [HttpPost]
        public ActionResult Index(string signin, LocalRegistrationModel model)
        {
            var ctx = Request.GetOwinContext();
            if (ModelState.IsValid)
            {
                var user = new LocalRegistrationUserService.CustomUser
                {
                    Username = model.Username, 
                    Password = model.Password, 
                    Subject = Guid.NewGuid().ToString(),
                    Claims = new List<Claim>()
                };
                LocalRegistrationUserService.Users.Add(user);
                user.Claims.Add(new Claim(Constants.ClaimTypes.GivenName, model.First));
                user.Claims.Add(new Claim(Constants.ClaimTypes.FamilyName, model.Last));

                return Redirect("~/core/" + Constants.RoutePaths.Login + "?signin=" + signin);
            }

            return View();
        }
    }

启动.cs

 app.Map("/core", coreApp =>
            {
                var factory = new IdentityServerServiceFactory()
                    .UseInMemoryClients(Clients.Get())
                    .UseInMemoryScopes(Scopes.Get());

                // different examples of custom user services
                //var userService = new RegisterFirstExternalRegistrationUserService();
                //var userService = new ExternalRegistrationUserService();

                var userService = new LocalRegistrationUserService();

                // note: for the sample this registration is a singletone (not what you want in production probably)
                factory.UserService = new Registration<IUserService>(resolver => userService);
                factory.ViewService = new Registration<IViewService, CustomViewService>();
                var options = new IdentityServerOptions
                {
                    SiteName = "Identity Server 3",

                    SigningCertificate = Certificate.Get(),
                    Factory = factory,

                    AuthenticationOptions = new AuthenticationOptions
                    {
                        IdentityProviders = ConfigureAdditionalIdentityProviders,
                        LoginPageLinks = new LoginPageLink[] { 
                            new LoginPageLink{
                                Text = "Register",
                               // Href = "~/externalregistration",
                                Href = "~/localregistration",
                                //Href = "localregistration"
                            },
                             new LoginPageLink{
                                Text = "Forgot Password?",
                                Href = "~/forgotpassword",
                                //Href = "localregistration"
                            }
                        }
                    },

                    EventsOptions = new EventsOptions
                    {
                        RaiseSuccessEvents = true,
                        RaiseErrorEvents = true,
                        RaiseFailureEvents = true,
                        RaiseInformationEvents = true
                    }
                };

                coreApp.UseIdentityServer(options);
            });

我需要了解在注册时将 a 映射到的最佳方式,userclient确保用户只能登录该客户端而不是任何其他客户端,即使该用户usernamepassword所有客户端都相同。

4

1 回答 1

4

如果您在 id_token 中提供自定义声明,application_access并以用户有权访问的应用程序/客户端的值命名,该怎么办?哪一个可能有很多。您可以在您的IUserService实现中添加此自定义声明,并以与映射其他用户特定声明相同的方式进行映射。

然后,在您的客户端中,检查该特定声明,并检查登录用户是否具有针对该特定客户端的特定值的声明。

https://github.com/IdentityModel/Thinktecture.IdentityModel.45/blob/master/IdentityModel/Thinktecture.IdentityModel/Authorization/WebApi/ScopeAttribute.cs

(标记:RequireScope用于访问令牌和 API,但您大致了解)

于 2016-07-22T23:19:13.487 回答