我希望在单独的微服务中执行身份验证和授权。同时,我的授权微服务不是一个身份提供者,而是一个简单的API。
如何配置 ASP.NET Core 中的哪个端点用于身份验证以及在访问目标端点之前向其发送哪些数据?
我在文档中找到了以下方法:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
// base-address of your identityserver
options.Authority = "https://demo.identityserver.io";
// name of the API resource
options.Audience = "api1";
});
我是否正确理解这就是我所需要的,但它使用身份服务器?
如何在不使用的情况下完成此任务?
在 ASP.NET 中为微服务架构实现身份验证和授权涉及多个步骤和注意事项,以确保安全高效的用户访问控制。以下是有关如何实现此目标的综合指南:
身份验证验证用户或服务的身份。在微服务架构中,通常使用基于令牌的身份验证机制,例如 JWT(JSON Web 令牌)。
1.1。集中认证服务:
1.2。代币发行:
1.3。代币验证:
API网关或微服务的Startup.cs:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://your-identity-provider";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("ApiScope", policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireClaim("scope", "api1");
});
});
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers()
.RequireAuthorization("ApiScope");
});
}
授权决定了经过身份验证的用户可以执行哪些操作。在微服务设置中,授权可以是基于角色 (RBAC) 或基于声明的。
2.1。基于角色的访问控制 (RBAC):
示例代码:
[Authorize(Roles = "Admin")]
public class AdminController : ControllerBase
{
// Actions that only Admin can access
}
2.2。基于策略的授权:
示例代码:
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdminRole", policy => policy.RequireRole("Admin"));
options.AddPolicy("RequireUserClaim", policy => policy.RequireClaim("UserType", "Premium"));
});
[Authorize(Policy = "RequireAdminRole")]
public class AdminController : ControllerBase
{
// Actions that only users with Admin role can access
}
[Authorize(Policy = "RequireUserClaim")]
public class PremiumUserController : ControllerBase
{
// Actions that only users with the claim UserType = Premium can access
}
在微服务中,一个请求可能会经过多个服务。跨服务传播用户的身份和声明至关重要。
3.1。代币转发:
示例代码:
public class SomeService
{
private readonly HttpClient _httpClient;
public SomeService(HttpClient httpClient)
{
_httpClient = httpClient;
}
public async Task CallAnotherService(string token)
{
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = await _httpClient.GetAsync("https://another-microservice/api/data");
response.EnsureSuccessStatusCode();
}
}