- YuChia·Last edited by YuChia on Nov 16, 2023Linked with GitHubContributed by
Log in to edit or delete your comments and be notified of replies.
There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion..net OpenIdConnection setting
authOptions 這個物件是我另外建立的,從 appsettings.json 中取資料的 model
OAuth Server = IdentityServer4
.net core 3.1 / .net 5 / .net 6 / .net 7 或以上皆通用
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultForbidScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignOutScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
// 有 HA 問題可以參考這個
// ref: https://mikerussellnz.github.io/.NET-Core-Auth-Ticket-Redis/
options.SessionStore = new RedisCacheTicketStore(new RedisCacheOptions { Configuration = redisUrl });
options.Events = new CookieAuthenticationEvents
{
OnValidatePrincipal = async cookieContext =>
{
var logger = cookieContext.HttpContext.RequestServices.GetRequiredService<ILogger<CookieAuthenticationEvents>>();
/*
* cookieContext.Properties.GetTokenValue(key)
* cookieContext.Properties.UpdateTokenValue(key)
* key 可使用的參數值有
* 1. access_token
* 2. id_token = openId connection 驗證身分所需的 token,預設 5 分鐘過期
* 3. refresh_token
* 4. token_type
* 5. expires_at = access_token 的到期日
* 對應 OpenIdConnect 的參數物件
* OpenIdConnectParameterNames.AccessToken
* OpenIdConnectParameterNames.IdToken
* OpenIdConnectParameterNames.RefreshToken
* OpenIdConnectParameterNames.TokenType
*
* expires_at 的部分在 OpenIdConnectParameterNames 無對應
*
* cookieContext.Properties.IssuedUtc = 跟 OAuth Server 進行驗證的時間
*
* cookieContext.Properties.ExpiresUtc
* * cookies 有效期的時間
* * 如果 AddOpenIdConnect 裡面有設定 UseTokenLifeTime 的話,這個時間會使用 id_token 的過期時間
*/
var now = DateTimeOffset.UtcNow;
var expiresAt = cookieContext.Properties.GetTokenValue("expires_at");
var accessTokenExpiration = DateTimeOffset.Parse(expiresAt);
var timeRemaining = accessTokenExpiration.Subtract(now);
// TODO: Get this from configuration with a fallback value.
var refreshThresholdMinutes = 5;
var refreshThreshold = TimeSpan.FromMinutes(refreshThresholdMinutes);
if (timeRemaining < refreshThreshold)
{
logger.LogTrace("OnValidatePrincipal - should be refresh token");
var refreshToken = cookieContext.Properties.GetTokenValue(OpenIdConnectParameterNames.RefreshToken);
if (refreshToken is null)
{
logger.LogWarning("OnValidatePrincipal - Refresh Token Not Found!");
cookieContext.RejectPrincipal();
await cookieContext.HttpContext.SignOutAsync();
//登出後強制中斷事件,讓 .net 回去走登入流程
return;
}
var httpClient = cookieContext.HttpContext.RequestServices.GetRequiredService<IHttpClientFactory>().CreateClient();
var response = await httpClient.RequestRefreshTokenAsync(
new RefreshTokenRequest
{
Address = $"{authOptions.Authority}/connect/token",
ClientId = authOptions.ClientId,
ClientSecret = authOptions.ClientSecret,
RefreshToken = refreshToken!
});
//如果 refresh 錯誤就登出且強制中斷事件
if (response.IsError)
{
logger.LogWarning("OnValidatePrincipal - Token Refresh Error!");
cookieContext.RejectPrincipal();
await cookieContext.HttpContext.SignOutAsync();
return;
}
//can ref OpenIdConnectHandler
var expiresInSeconds = response.ExpiresIn;
var updatedExpiresAt = DateTimeOffset.UtcNow.AddSeconds(expiresInSeconds);
cookieContext.Properties.UpdateTokenValue("expires_at", updatedExpiresAt.ToString());
cookieContext.Properties.UpdateTokenValue(OpenIdConnectParameterNames.AccessToken, response.AccessToken);
cookieContext.Properties.UpdateTokenValue(OpenIdConnectParameterNames.RefreshToken, response.RefreshToken);
cookieContext.Properties.UpdateTokenValue(OpenIdConnectParameterNames.IdToken, response.IdentityToken);
// Indicate to the cookie middleware that the cookie should be
// remade (since we have updated it)
cookieContext.ShouldRenew = true;
}
}
};
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = authOptions.Authority;
options.ClientId = authOptions.ClientId;
options.ClientSecret = authOptions.ClientSecret;
// 如果要改 redirect url 的時候要用這個
// options.CallbackPath = "/auth-redirect-url";
options.RequireHttpsMetadata = true;
options.ResponseType = OpenIdConnectResponseType.Code;
// options.ResponseMode = OpenIdConnectResponseMode.FormPost;
// 沒有清除的話,預設 scope 裡面有一個 profile 的項目
//options.Scope.Clear();
//要讓 .net 預設的 openid 認證成功需要這個 Scope
options.Scope.Add(OpenIdConnectScope.OpenId);
// 從設定檔中取得自訂的 Scope
foreach (var item in authOptions.CustomScope)
{
options.Scope.Add(item);
}
// 這個 scope 要求 Auth Server 回應 Refresh Token
options.Scope.Add(OpenIdConnectScope.OfflineAccess);
// if true , cookies ExpiresUtc will be use id_token expires time
// options.UseTokenLifetime = true;
options.SaveTokens = true;
//設定 token 中的特定欄位解析方式
options.TokenValidationParameters = new TokenValidationParameters
{
// NameClaimType = "name",
NameClaimType = JwtClaimTypes.Name,
// RoleClaimType = "role"
RoleClaimType = JwtClaimTypes.Role
};
// 設定到 user claim 裡面
//ref: https://github.com/skoruba/IdentityServer4.Admin/issues/109
//ref: https://stackoverflow.com/a/70279411
options.Events.OnUserInformationReceived = context =>
{
// var roleElement = context.User.RootElement.GetProperty("role");
var roleElement = context.User.RootElement.GetProperty(JwtClaimTypes.Role);
var claims = new List<Claim>();
if (roleElement.ValueKind == JsonValueKind.Array)
{
claims.AddRange(roleElement.EnumerateArray().Select(r => new Claim(JwtClaimTypes.Role, r.GetString() ?? string.Empty)));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, roleElement.GetString() ?? string.Empty));
}
if (context.Principal?.Identity is ClaimsIdentity id)
{
id.AddClaims(claims);
}
return Task.CompletedTask;
};
//..other setting
});
//有 HA 需求可參考
//設定認證資料存放到 Redis 上面共用
//此範例未特別設定加密,基於安全性,應考慮加密問題
//REF: https://docs.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-6.0#share-authentication-cookies-among-aspnet-core-apps
//REF: https://docs.microsoft.com/zh-tw/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-6.0&tabs=visual-studio#redis
builder.Services
.AddDataProtection()
.PersistKeysToStackExchangeRedis(ConnectionMultiplexer.Connect(redisUrl), "LoginKey:")
.SetApplicationName("Sample");
Read more
Published on 
HackMD
HackMD