IdentityServer4 实现自定义 GrantType 授权模式

时间:2022-01-12 08:37:57

OAuth 2.0 默认四种授权模式(GrantType):

  • 授权码模式(authorization_code
  • 简化模式(implicit
  • 密码模式(password
  • 客户端模式(client_credentials

使用 IdentityServer4,我们可以自定义授权模式吗?答案是可以的,比如我们自定义实现一个anonymous授权模式(匿名访问)。

创建AnonymousGrantValidator(继承IExtensionGrantValidator):

public class AnonymousGrantValidator : IExtensionGrantValidator
{
private readonly ITokenValidator _validator; public AnonymousGrantValidator(ITokenValidator validator)
{
_validator = validator;
} public string GrantType => "anonymous"; public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
//var userToken = context.Request.Raw.Get("token"); //if (string.IsNullOrEmpty(userToken))
//{
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
// return;
//} //var result = await _validator.ValidateAccessTokenAsync(userToken);
//if (result.IsError)
//{
// context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
// return;
//} // get user's identity
//var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value; var claims = new List<Claim>() { new Claim("role", GrantType) }; // Claim 用于配置服务站点 [Authorize("anonymous")]
context.Result = new GrantValidationResult(GrantType, GrantType, claims);
}
}

修改Client配置:

new Client
{
ClientId = "client1",
AllowedGrantTypes = GrantTypes.List(GrantTypes.ResourceOwnerPassword.FirstOrDefault(), "anonymous"), //一个 Client 可以配置多个 GrantType
AllowOfflineAccess = true,
AccessTokenLifetime = 3600 * 6, //6小时
SlidingRefreshTokenLifetime = 1296000, //15天
ClientSecrets =
{
new Secret("123".Sha256())
},
AllowedScopes = new List<string>
{
"api2"
}
}

DI 增加注入对象:

builder.AddExtensionGrantValidator<AnonymousGrantValidator>();

调用示例代码:

public async Task<TokenResponse> AnonymousAsync(string userToken)
{
var payload = new
{
token = userToken
}; // create token client
var client = new TokenClient(disco.TokenEndpoint, "client1", "123"); // send custom grant to token endpoint, return response
return await client.RequestCustomGrantAsync("anonymous", "api2", payload);
}

Http 访问示例:

POST /connect/token

grant_type=anonymous&
scope=api2&
token=...&
client_id=api1.client
client_secret=secret

参考资料: