oauth2 + oidc 实现 server部分

学习分享 丨作者 / 郑 子 铭 丨公众号 / DotNet NB / CloudNative NB

任务15：oauth2 + oidc 实现 server部分

基于之前快速入门的项目（MvcCookieAuthSample）： https://www.cnblogs.com/MingsonZheng/p/11614686.html https://www.cnblogs.com/MingsonZheng/p/11623815.html

mvcCookieAuthSample2下载地址： http://video.jessetalk.cn/course/5/material/217/download

把这个 MVC 注册登录的网站变成一个单点登录，现在它是自己登录自己使用，我们需要把它的登录信息返回给第三方

添加 identityserver4 引用

在 startup 中

using IdentityServer4;

按照之前的文章添加 Config.cs

using System.Collections;
using System.Collections.Generic;
using IdentityServer4.Models;
using IdentityServer4.Test;

namespace mvcCookieAuthSample
{
    public class Config
    {
        public static IEnumerable<Client> GetClients()
        {
            return new List<Client>
            {
                new Client()
                {
                    ClientId = "client",
                    AllowedGrantTypes = GrantTypes.Implicit,// 隐式模式
                    ClientSecrets = 
                    {
                        new Secret("secret".Sha256())
                    },
                    AllowedScopes = {"api"},
                }
            };
        }

        public static IEnumerable<ApiResource> GetApiResource()
        {
            return new List<ApiResource>
            {
                new ApiResource("api", "My Api")
            };
        }

        public static IEnumerable<IdentityResource> GetIdentityResources()
        {
            return new List<IdentityResource>
            {
                new IdentityResources.OpenId(),
                new IdentityResources.Profile(),
                new IdentityResources.Email(),
            };
        }

        public static List<TestUser> GetTestUsers()
        {
            return new List<TestUser>
            {
                new TestUser
                {
                    SubjectId = "1",
                    Username = "mingsonzheng",
                    Password = "123456"
                }
            };
        }
    }
}

startup 的 ConfigureServices

// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
    services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryClients(Config.GetClients())
            .AddInMemoryApiResources(Config.GetApiResource())
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddTestUsers(Config.GetTestUsers());

    //services.AddDbContext<ApplicationDbContext>(options =>
    //{
    //    options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
    //});

    //services.AddIdentity<ApplicationUser, ApplicationUserRole>()
    //    .AddEntityFrameworkStores<ApplicationDbContext>()
    //    .AddDefaultTokenProviders();

    //services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    //    .AddCookie(options => {
    //        options.LoginPath = "/Account/Login";
    //    });

    //services.Configure<IdentityOptions>(options =>
    //{
    //    options.Password.RequireLowercase = true;
    //    options.Password.RequireNonAlphanumeric = true;
    //    options.Password.RequireUppercase = true;
    //    options.Password.RequiredLength = 12;
    //});

    services.AddMvc();
}

startup 的 Configure 中 UseIdentityServer

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
    }

    app.UseStaticFiles();
    
    //app.UseAuthentication();
    app.UseIdentityServer();

    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });
}

我们已经把 IdentityServer4 添加到 MVC 程序中，接着需要在 Controller 中实现这个逻辑

首先注释 AccountController 原先的登录逻辑

//private UserManager<ApplicationUser> _userManager;
//private SignInManager<ApplicationUser> _signInManager;

Logout 中使用 HttpContext.SignOutAsync 替换

public async Task<IActionResult> Logout()
{
    //await _signInManager.SignOutAsync();
    await HttpContext.SignOutAsync();
    return RedirectToAction("Index", "Home");
}

接着改造登录的逻辑，我们需要验证用户名和密码，前面我们在 Config 中添加了 TestUser，它被放在 TestUserStore 中，可以通过依赖注入引用进来，有了它之后就可以在登录的时候拿到用户名和密码

private readonly TestUserStore _users;

public AccountController(TestUserStore users)
{
    _users = users;
}

因为 TestUser 本身不提供 Email 登录，所以我们需要修改 LoginViewModel 以及 Login.cshtml

LoginViewModel

[Required]
//[DataType(DataType.EmailAddress)]
//public string Email { get; set; }
public string UserName { get; set; }

Login.cshtml

<div class="form-group">
    <label asp-for="UserName"></label>
    <input asp-for="UserName" class="form-control" />
    <span asp-validation-for="UserName" class="text-danger"></span>
</div>

改造登录的逻辑

public async Task<IActionResult> Login(LoginViewModel loginViewModel,string returnUrl)
{
    if (ModelState.IsValid)
    {
        //ViewData["ReturnUrl"] = returnUrl;
        //var user = await _userManager.FindByEmailAsync(loginViewModel.Email);
        //if (user == null)
        //{
        //    ModelState.AddModelError(nameof(loginViewModel.Email), "Email not exists");
        //}
        //else
        //{
        //    await _signInManager.SignInAsync(user, new AuthenticationProperties { IsPersistent = true });
        //    return RedirectToLoacl(returnUrl);
        //}

        ViewData["ReturnUrl"] = returnUrl;
        var user = _users.FindByUsername(loginViewModel.UserName);
        if (user == null)
        {
            ModelState.AddModelError(nameof(loginViewModel.UserName), "UserName not exists");
        }
        else
        {
            if (_users.ValidateCredentials(loginViewModel.UserName, loginViewModel.Password))
            {
                var props = new AuthenticationProperties
                {
                    IsPersistent = true,
                    ExpiresUtc = DateTimeOffset.UtcNow.Add(TimeSpan.FromMinutes(30)),
                };

                await Microsoft.AspNetCore.Http.AuthenticationManagerExtensions.SignInAsync(
                    HttpContext,
                    user.SubjectId,
                    user.Username,
                    props
                    );

                return RedirectToLoacl(returnUrl);
            }

            ModelState.AddModelError(nameof(loginViewModel.Password), "Wrong Password");
        }
    }

    return View();
}

这样，我们就实现了一个通过 IdentityServer4 下的方法来实现了一个登录逻辑，然后做了一个跳转，下一节再把客户端加进来