0

鉴于我已经根据ocelot 文档设置了 ocelot 并与 IdentityServer4 集成,我是否应该从这些内部服务中删除[Authorize]属性和身份验证相关代码(例如UseAuthentication中间件)?Startup

  • 如果删除[Authorize]相关代码,这些内部服务如何获得User.Claims?以及如何保护这些服务免受来自内部的线程的影响?

  • 如果保留[Authroize]相关代码,那么将 IdentityServer4 与 Ocelot 集成有什么意义?我能看到的唯一好处是防止无效请求到达内部服务。

长篇大论:

我设置了 Ocelot 网关并与 IdentityServer4 集成。我所有的内部 Api 服务(例如 ServiceA、ServiceB)都在网关后面。

为了保证内部服务的安全,我AuthenticationOptions按照 ocelot 官方文档中的说明进行了设置。

例如 ocelot 网关配置:

{
  "ReRoutes": [
    {
      "DownstreamPathTemplate": "/api/{version}/{everything}",
      "DownstreamScheme": "https",
      "DownstreamHostAndPorts": [
        {
          "Host": "localhost",
          "Port": 5001
        }
      ],
      "LoadBalancerOptions": {
        "Type": "LeastConnection"
      },
      "UpstreamPathTemplate": "/serviceA/api/{version}/{everything}",
      "UpstreamHttpMethod": [],
      "AuthenticationOptions": {
        "AuthenticationProviderKey": "ApiGwAuth",
        "AllowedScopes": []
      }
    }
  ]
}

public void ConfigureServices(IServiceCollection services)
{
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
    services.AddAuthentication()
        .AddJwtBearer("ApiGwAuth", x =>
        {
            x.Authority = Configuration["IdentityServiceSettings:Url"];
            x.RequireHttpsMetadata = false;
            x.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
            {
                ValidAudiences = new[] { "serviceA", "serviceB" }
            };
        });

    services.AddOcelot(Configuration);
}

需要保护的服务A:

[Authorize]
[HttpGet]
public ActionResult GetProtectedInfo()
{
     // e.g.     
     return Ok(User.Claims.Select(itm => itm.ToString()));
}

User.Claims如果[Authorize]删除了相关代码,如何获取?

4

1 回答 1

3

如果您删除 UseAuthentication(),您将丢失 User.Identity。如果要生成 User.Identity 但没有 Ocelot 通过的 JWT 验证,请尝试以下操作:

配置服务

      services.AddAuthentication(x =>
        {
            x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(x =>
        {
            x.RequireHttpsMetadata = false;
            x.SaveToken = true;
            x.TokenValidationParameters = CreateTokenValidationParameters();
        });

配置

app.UseAuthentication();


private TokenValidationParameters CreateTokenValidationParameters() //we ignore token validation because gateway validates it
    {
        var result = new TokenValidationParameters
        {
            ValidateIssuer = false,
            ValidateAudience = false,
            ValidateIssuerSigningKey = false,
            SignatureValidator = delegate (string token, TokenValidationParameters parameters)
            {
                var jwt = new JwtSecurityToken(token);
                return jwt;
            },
            RequireExpirationTime = true,
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero,
        };
        result.RequireSignedTokens = false;
        return result;
    }
于 2020-07-16T13:00:37.367 回答