В вашем классе запуска.s:
// prevent from mapping "sub" claim to nameidentifier.
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");
var identityUrl = configuration.GetValue<string>("IdentityUrl");
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = identityUrl;
options.RequireHttpsMetadata = false;
options.Audience = "demo_api";
});
SwaggerGen
services.AddSwaggerGen(options =>
{
...
options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
{
Implicit = new OpenApiOAuthFlow
{
AuthorizationUrl = new Uri($"{configuration.GetValue<string>("IdentityUrl")}/connect/authorize"),
TokenUrl = new Uri($"{configuration.GetValue<string>("IdentityUrl")}/connect/token"),
Scopes = new Dictionary<string, string>()
{
{ "api1", "Demo API - full access" }
}
}
}
});
Операционный фильтр
options.OperationFilter<AuthorizeCheckOperationFilter>();
Реализация
public class AuthorizeCheckOperationFilter : IOperationFilter
{
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
var hasAuthorize = context.MethodInfo.DeclaringType.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any() ||
context.MethodInfo.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any();
if (!hasAuthorize) return;
var unauthorizedHashCode = HttpStatusCode.Unauthorized.GetHashCode().ToString();
var unauthorizedDescription = HttpStatusCode.Unauthorized.ToString();
var forbiddenHashCode = HttpStatusCode.Forbidden.GetHashCode().ToString();
var forbiddenDescription = HttpStatusCode.Forbidden.ToString();
operation.Responses.TryAdd(unauthorizedHashCode, new OpenApiResponse { Description = unauthorizedDescription });
operation.Responses.TryAdd(forbiddenHashCode, new OpenApiResponse { Description = forbiddenDescription });
var oAuthScheme = new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
};
operation.Security = new List<OpenApiSecurityRequirement>
{
new OpenApiSecurityRequirement
{
[ oAuthScheme ] = new [] { "api1" }
}
};
}
}
Используйте это
// Keep both UseAuthentication and UseAuthorization IN THIS ORDER
app.UseAuthentication();
app.UseAuthorization();
Используйте Swagger
app.UseSwagger(c =>
{
c.RouteTemplate = "swagger/{documentName}/swagger.json";
});
app.UseSwaggerUI(s =>
{
s.SwaggerEndpoint("/swagger/v1/swagger.json", "Your awesome project name");
s.OAuthAppName("My API - Swagger");
s.OAuthClientId("client");
// Should match the client RedirectUrl in the IdentityServer
s.OAuth2RedirectUrl("https://localhost:5001/swagger/oauth2-redirect.html");
});
Ваш контроллер
[Authorize]
[ApiController]
[Route("api/[controller]")] // TODO: Take care of the versioning
public class IndentityController : ControllerBase
{
...
Теперь в проекте IdentityServer. ApiResources:
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1", "My API")
};
}
И, наконец, ваш клиент должен выглядеть следующим образом:
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.Implicit,
RedirectUris = { "https://localhost:5001/swagger/oauth2-redirect.html" },
AllowedScopes = { "api1" },
AllowAccessTokensViaBrowser = true,
RequireConsent = false
}
И полный исходный код можно найти в репозитории eShopOnContainers * 1029. *
Удачи:)