我们有一个Identity Server 4来授权API项目中的用户和自定义授权。
我想同时设置这两种授权,但首先检查Identity Server 4,然后检查我的自定义授权。
问题是,这个订单不起作用,我的自定义授权首先执行。如何更改此订单?
启动.cs
services.AddAuthorization(authorizationOptions =>
{
authorizationOptions.AddPolicy(
name: "UserAccess",
configurePolicy: policyBuilder =>
{
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(new UserAccessRequirement());
});
}).AddAuthentication(defaultScheme: IdentityServerAuthenticationDefaults.AuthenticationScheme).AddIdentityServerAuthentication(options =>
{
options.Authority = "https://*******.land/";
options.ApiName = "****.Api";
options.RequireHttpsMetadata = false;
});
我的自定义授权:
public class UserAccessHandler : AuthorizationHandler<UserAccessRequirement>
{
private readonly IHttpContextAccessor _accessor;
public UserAccessHandler(IHttpContextAccessor accessor)
{
_accessor = accessor ?? throw new ArgumentNullException(nameof(accessor));
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, UserAccessRequirement requirement)
{
var httpContext = _accessor.HttpContext;
/// Some Code
}
}
在API控制器中:
[Route("api/[controller]")]
[ApiController]
[Authorize]
public class TestController : ControllerBase
{
[Authorize(policy: "UserAccess")]
[HttpGet("[action]")]
public IActionResult Get()
{
return Ok("Access");
}
}
更新:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
我不会在新的开发中使用AddIdentityServerAuthentication方法,因为它似乎已经被弃用,不再支持
参见https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation
在从客户端接收访问令牌的API中,您应该使用:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
opt.Audience = "payment"; //api name
opt.Authority = "https://identityservice.local:6001"; //URL to your identityserver
});
AddIdentityServerAuthentication不应在API中使用。
更新:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});