如何解决如何在Identityserver4中从没有用户名和密码的令牌端点获取令牌?
我在asp.net核心网络api中使用IdentityServer4进行用户身份验证和授权。我在android应用程序中使用此api。我的用户使用用户名和密码注册和登录没有问题。这是我的访问令牌我来自连接/令牌端点
{
"alg": "RS512","typ": "at+jwt"
}
{
"nbf": 1600324303,"exp": 1631860303,"iss": "https://myIdentityServerApi.com","aud": [
"IdentityServerApi","MyAPI1"
],"client_id": "MyApp1","sub": "521d198c-3657-488e-997e-3e50d756b353","auth_time": 1600324302,"idp": "local","role": "Admin","name": "myusername","scope": [
"openid","IdentityServerApi","amr": [
"pwd"
]
}
现在,在新的android应用程序中,我希望用户使用电话号码和短信激活功能进行注册和登录。 当用户发送ActivationCode时,我应该向他发送访问令牌。但是,如何从没有用户名和密码的令牌端点获取令牌?
在下面,我想手动生成令牌,但是生成的令牌不起作用。
[HttpPost("Activate")]
[AllowAnonymous]
public async Task<IActionResult> Activate([FromBody] SignUpPhoneModel model)
{
if (string.IsNullOrWhiteSpace(model.PhoneNumber))
{
return BadRequest("Phone Number is Empty");
}
PhoneValidation pv = new PhoneValidation();
IdentityUser CurrentUser = await db.Users.Where(e => e.PhoneNumber == model.PhoneNumber).FirstAsync();
if (!await UserManager.VerifyChangePhoneNumberTokenAsync(CurrentUser,model.ActivationCode,model.PhoneNumber))
{
return BadRequest("Activation Code is not correct");
}
else
{
//Here user is activated and should get token But How?
CurrentUser.PhoneNumberConfirmed = true;
List<string> UserRoles = (await UserManager.GetRolesAsync(CurrentUser)).ToList();
var tokenHandler = new JwtSecurityTokenHandler();
RSACryptoServiceProvider rsap = new RSACryptoServiceProvider(KeyContainerNameForSigning);
SecurityKey sk = new RsaSecurityKey(rsap.Engine);
List<Claim> UserClaims = new List<Claim>() {
new Claim(JwtRegisteredClaimNames.Sub,CurrentUser.Id),};
foreach (var r in UserRoles)
{
UserClaims.Add(new Claim(JwtClaimTypes.Role,r));
}
var tokenDescriptor = new SecurityTokenDescriptor
{
Issuer= "https://myidentityserverapi.com",Audience = "IdentityServerApi,MyAPI",Subject = new ClaimsIdentity(UserClaims),Expires = DateTime.UtcNow.AddDays(365),SigningCredentials = new SigningCredentials(sk,SecurityAlgorithms.RsaSha512),};
var token = tokenHandler.CreateToken(tokenDescriptor);
TokenModel tm = new TokenModel()
{
access_token = tokenHandler.WriteToken(token)
};
return Ok(tm);
}
}
当我在应用程序中从上方(操作方法)接收令牌时,如下所示,但是它不起作用,例如User.Identity.IsAuthenticated
为false。任何人都知道如何生成令牌,例如connect / token端点没有用户名和密码?
"alg": "RS256","typ": "JWT"
}
{
"unique_name": "13f2e130-e2e6-48c7-b3ac-40f8dde8087b","role": "Member","nbf": 1600323833,"exp": 1718259833,"iat": 1600323833
}
我选择了正确的方法吗?还是我应该使用另一种方式,例如不同的流程或授予类型?
解决方法
我想您的用户通过IS4服务器激活了ActivationCode
。在这种情况下,您无需手动管理/生成access_token
。
您只需要遵循与AccountController中的Login
方法相同的过程即可,
-
使用登录名/密码检查用户,请验证您的
ActivationCode
-
一旦用户确定,SignInManager会
SignIn
您的用户。 (instructions from the GDB Wiki) -
引发UserLoginSuccessEvent事件。
await _events.RaiseAsync(new UserLoginSuccessEvent(user.UserName,user.Id,user.UserName,clientId: context?.Client.ClientId));
-
最终将用户重定向到您的Web应用。
return Redirect(model.ReturnUrl);
重定向到您的应用程序时,IdentityServer4会将其access_token
发送给用户。
我认为您需要做的就是,当用户确认激活码时,您将执行与以下内容相同的操作:
public async Task<IActionResult> Login(LoginInputModel model,string button) { }
在参考AccountController.cs类中找到。
,我终于像这样创建访问令牌:
[HttpPost("Activate")]
[AllowAnonymous]
public async Task<IActionResult> Activate([FromBody] SignUpPhoneModel model,[FromServices] ITokenService TS,[FromServices] IUserClaimsPrincipalFactory<JooyaIdentityUser> principalFactory,[FromServices] IdentityServerOptions options)
{
JooyaIdentityUser CurrentUser = await db.Users.Where(e => e.PhoneNumber == model.PhoneNumber).FirstOrDefaultAsync();
if (!await UserManager.VerifyChangePhoneNumberTokenAsync(CurrentUser,model.ActivationCode,model.PhoneNumber))
{
return BadRequest("Activation Code in not correct");
}
CurrentUser.PhoneNumberConfirmed = true;
await db.SaveChangesAsync();
await UserManager.UpdateSecurityStampAsync(CurrentUser);
var Request = new TokenCreationRequest();
var IdentityPricipal = await principalFactory.CreateAsync(CurrentUser);
var IdentityUser = new IdentityServerUser(CurrentUser.Id.ToString());
IdentityUser.AdditionalClaims = IdentityPricipal.Claims.ToArray();
IdentityUser.DisplayName = CurrentUser.UserName;
IdentityUser.AuthenticationTime = System.DateTime.UtcNow;
IdentityUser.IdentityProvider = IdentityServerConstants.LocalIdentityProvider;
Request.Subject = IdentityUser.CreatePrincipal();
Request.IncludeAllIdentityClaims = true;
Request.ValidatedRequest = new ValidatedRequest();
Request.ValidatedRequest.Subject = Request.Subject;
Request.ValidatedRequest.SetClient(SeedConfig.GetClients().Where(e => e.ClientId == model.ClientId).First());
List<ApiResource> Apis = new List<ApiResource>();
Apis.Add(SeedConfig.GetApis().Where(e => e.Name == "IdentityServerApi").First());
Apis.Add(SeedConfig.GetApis().Where(e => e.Name == model.ApiName).First());
Request.Resources = new Resources(SeedConfig.GetIdentityResources(),Apis);
Request.ValidatedRequest.Options = options;
Request.ValidatedRequest.ClientClaims = IdentityUser.AdditionalClaims;
var Token = await TS.CreateAccessTokenAsync(Request);
Token.Issuer = HttpContext.Request.Scheme + "://" + HttpContext.Request.Host.Value;
Token.Lifetime = 32000000;
var TokenValue = await TS.CreateSecurityTokenAsync(Token);
TokenModel tm = new TokenModel()
{
access_token = TokenValue
};
return Ok(tm);
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。