0c5bd5e647
添加OAuth2认证相关配置文件和服务实现,包括环境变量配置、PKCE流程支持、token管理等功能。主要变更: - 新增OAuth2配置文件 - 实现OAuth2服务层 - 更新请求拦截器支持token自动刷新 - 修改认证API和store以支持OAuth2流程
109 lines
4.2 KiB
C#
109 lines
4.2 KiB
C#
using Microsoft.AspNetCore.Authentication;
|
|
using Microsoft.AspNetCore.Authentication.Cookies;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using OpenIddict.Abstractions;
|
|
using Quartz;
|
|
|
|
namespace Fengling.AuthService.Configuration;
|
|
|
|
public static class OpenIddictSetup
|
|
{
|
|
public static IServiceCollection AddOpenIddictConfiguration(
|
|
this IServiceCollection services,
|
|
IConfiguration configuration
|
|
)
|
|
{
|
|
|
|
services.Configure<IdentityOptions>(options =>
|
|
{
|
|
// Configure Identity to use the same JWT claims as OpenIddict instead
|
|
// of the legacy WS-Federation claims it uses by default (ClaimTypes),
|
|
// which saves you from doing the mapping in your authorization controller.
|
|
options.ClaimsIdentity.UserNameClaimType = OpenIddictConstants.Claims.Name;
|
|
options.ClaimsIdentity.UserIdClaimType = OpenIddictConstants.Claims.Subject;
|
|
options.ClaimsIdentity.RoleClaimType = OpenIddictConstants.Claims.Role;
|
|
options.ClaimsIdentity.EmailClaimType = OpenIddictConstants.Claims.Email;
|
|
|
|
// Note: to require account confirmation before login,
|
|
// register an email sender service (IEmailSender) and
|
|
// set options.SignIn.RequireConfirmedAccount to true.
|
|
//
|
|
// For more information, visit https://aka.ms/aspaccountconf.
|
|
options.SignIn.RequireConfirmedAccount = false;
|
|
});
|
|
|
|
services.AddQuartz(options =>
|
|
{
|
|
options.UseSimpleTypeLoader();
|
|
options.UseInMemoryStore();
|
|
});
|
|
var isTesting = configuration.GetValue<bool>("Testing", false);
|
|
|
|
var builder = services.AddOpenIddict();
|
|
|
|
builder.AddCore(options =>
|
|
{
|
|
options.UseEntityFrameworkCore()
|
|
.UseDbContext<Data.ApplicationDbContext>();
|
|
options.UseQuartz();
|
|
});
|
|
|
|
if (!isTesting)
|
|
{
|
|
builder.AddServer(options =>
|
|
{
|
|
options.SetIssuer(configuration["OpenIddict:Issuer"] ?? "http://localhost:5132");
|
|
|
|
options.SetAuthorizationEndpointUris("connect/authorize")
|
|
//.SetDeviceEndpointUris("connect/device")
|
|
.SetIntrospectionEndpointUris("connect/introspect")
|
|
.SetEndSessionEndpointUris("connect/endsession")
|
|
.SetTokenEndpointUris("connect/token")
|
|
.SetUserInfoEndpointUris("connect/userinfo")
|
|
.SetEndUserVerificationEndpointUris("connect/verify");
|
|
|
|
options.AllowAuthorizationCodeFlow()
|
|
.AllowHybridFlow()
|
|
.AllowClientCredentialsFlow()
|
|
.AllowRefreshTokenFlow();
|
|
|
|
|
|
options.AddDevelopmentEncryptionCertificate()
|
|
.AddDevelopmentSigningCertificate();
|
|
|
|
|
|
options.DisableAccessTokenEncryption();
|
|
|
|
|
|
options.RegisterScopes(OpenIddictConstants.Scopes.OfflineAccess, OpenIddictConstants.Scopes.Email,
|
|
OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.OpenId,
|
|
OpenIddictConstants.Permissions.Scopes.Roles,
|
|
"api",
|
|
"auth_server_admin");
|
|
|
|
options
|
|
.UseReferenceAccessTokens()
|
|
.UseReferenceRefreshTokens()
|
|
.UseAspNetCore()
|
|
.DisableTransportSecurityRequirement()
|
|
.EnableAuthorizationEndpointPassthrough()
|
|
.EnableEndSessionEndpointPassthrough()
|
|
.EnableTokenEndpointPassthrough()
|
|
.EnableUserInfoEndpointPassthrough()
|
|
.EnableStatusCodePagesIntegration();
|
|
});
|
|
}
|
|
|
|
builder.AddValidation(options =>
|
|
{
|
|
options.UseLocalServer();
|
|
options.UseAspNetCore();
|
|
});
|
|
|
|
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme);
|
|
|
|
return services;
|
|
}
|
|
}
|