OAuth 2.0 默认四种授权模式(GrantType):
- 授权码模式(
authorization_code
) - 简化模式(
implicit
) - 密码模式(
password
) - 客户端模式(
client_credentials
)
使用 IdentityServer4,我们可以自定义授权模式吗?答案是可以的,比如我们自定义实现一个anonymous
授权模式(匿名访问)。
创建AnonymousGrantValidator
(继承IExtensionGrantValidator
):
public class AnonymousGrantValidator : IExtensionGrantValidator
{
private readonly ITokenValidator _validator;
public AnonymousGrantValidator(ITokenValidator validator)
{
_validator = validator;
}
public string GrantType => "anonymous";
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
//var userToken = context.Request.Raw.Get("token");
//if (string.IsNullOrEmpty(userToken))
//{
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
// return;
//}
//var result = await _validator.ValidateAccessTokenAsync(userToken);
//if (result.IsError)
//{
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
// return;
//}
// get user's identity
//var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value;
var claims = new List<Claim>() { new Claim("role", GrantType) }; // Claim 用于配置服务站点 [Authorize("anonymous")]
context.Result = new GrantValidationResult(GrantType, GrantType, claims);
}
}
修改Client
配置:
new Client
{
ClientId = "client1",
AllowedGrantTypes = GrantTypes.List(GrantTypes.ResourceOwnerPassword.FirstOrDefault(), "anonymous"), //一个 Client 可以配置多个 GrantType
AllowOfflineAccess = true,
AccessTokenLifetime = 3600 * 6, //6小时
SlidingRefreshTokenLifetime = 1296000, //15天
ClientSecrets =
{
new Secret("123".Sha256())
},
AllowedScopes = new List<string>
{
"api2"
}
}
DI 增加注入对象:
builder.AddExtensionGrantValidator<AnonymousGrantValidator>();
调用示例代码:
public async Task<TokenResponse> AnonymousAsync(string userToken)
{
var payload = new
{
token = userToken
};
// create token client
var client = new TokenClient(disco.TokenEndpoint, "client1", "123");
// send custom grant to token endpoint, return response
return await client.RequestCustomGrantAsync("anonymous", "api2", payload);
}
Http 访问示例:
POST /connect/token
grant_type=anonymous&
scope=api2&
token=...&
client_id=api1.client
client_secret=secret
参考资料: