From ec8e553304e85eb2fc178b64999de883560b9ca1 Mon Sep 17 00:00:00 2001 From: hang <872297557@qq.com> Date: Thu, 31 Oct 2024 18:05:10 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20IdentityModel.OidcClient?= =?UTF-8?q?=20=E6=B5=8B=E8=AF=95ok?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Controllers/ExtraController.cs | 62 +------- IRaCIS.Core.API/IRaCIS.Core.API.xml | 141 ----------------- .../IRaCIS.Core.Application.csproj | 1 + .../IRaCIS.Core.Application.xml | 147 ++++++++++++++++++ .../MinimalApiService}/OAuth/LogotoParams.cs | 2 +- .../OAuth/LogtoTokenResponse.cs | 2 +- .../MinimalApiService}/OAuth/LogtoUser.cs | 2 +- .../Service/MinimalApiService/OAuthService.cs | 146 +++++++++++++++++ 8 files changed, 301 insertions(+), 202 deletions(-) rename {IRaCIS.Core.API => IRaCIS.Core.Application/Service/MinimalApiService}/OAuth/LogotoParams.cs (99%) rename {IRaCIS.Core.API => IRaCIS.Core.Application/Service/MinimalApiService}/OAuth/LogtoTokenResponse.cs (95%) rename {IRaCIS.Core.API => IRaCIS.Core.Application/Service/MinimalApiService}/OAuth/LogtoUser.cs (93%) create mode 100644 IRaCIS.Core.Application/Service/MinimalApiService/OAuthService.cs diff --git a/IRaCIS.Core.API/Controllers/ExtraController.cs b/IRaCIS.Core.API/Controllers/ExtraController.cs index b32bc67ab..39c25fc56 100644 --- a/IRaCIS.Core.API/Controllers/ExtraController.cs +++ b/IRaCIS.Core.API/Controllers/ExtraController.cs @@ -1,9 +1,10 @@ using Amazon.Auth.AccessControlPolicy; using Amazon.SecurityToken; using Azure.Core; +using IdentityModel.Client; +using IdentityModel.OidcClient; using IRaCIS.Application.Contracts; using IRaCIS.Application.Interfaces; -using IRaCIS.Core.API.OAuth; using IRaCIS.Core.Application.Auth; using IRaCIS.Core.Application.Contracts; using IRaCIS.Core.Application.Helper; @@ -25,7 +26,9 @@ using System; using System.Collections.Generic; using System.Linq; using System.Net; +using System.Net.Http; using System.Text; +using System.Text.Json; using System.Threading.Tasks; using ZiggyCreatures.Caching.Fusion; using AssumeRoleRequest = Amazon.SecurityToken.Model.AssumeRoleRequest; @@ -433,63 +436,6 @@ namespace IRaCIS.Api.Controllers #endregion - #region 客户端方式获取logto 里面的信息 - - var baseUrl = "https://logto.test.extimaging.com"; - var appId = "v2mr2ndxwkxz0xpsuc1th"; - var appSecret = "yq9jUxl70QoOmwHxJ37h1rDoyJ5iz92Q"; - var apiAddress = "https://default.logto.app/api"; //这里是个坑 - var scope = "all"; - - var opts = new RestClientOptions(baseUrl); - using var client = new RestClient(opts); - - //https://bump.sh/logto/doc/logto-management-api/authentication - var request = new RestRequest("oidc/token", Method.Post); - request - .AddHeader("Content-Type", "application/x-www-form-urlencoded") - .AddParameter("grant_type", "client_credentials") - .AddParameter("client_id", appId) - .AddParameter("client_secret", appSecret) - .AddParameter("resource", apiAddress) //注意这里默认值地址和api 地址有区别 - .AddParameter("scope", scope); - - - var response = await client.ExecuteAsync(request); - - if (response.StatusCode == HttpStatusCode.OK) - { - var tokenResponse = response.Data; - - Console.WriteLine(tokenResponse.ToJsonStr()); - - #region 获取应用信息 - - var applicationRequest = new RestRequest($"/api/applications", Method.Get) - .AddHeader("Authorization", $"Bearer {tokenResponse.AccessToken}"); - - var applicationResponse = await client.ExecuteAsync(applicationRequest); - #endregion - - #region 获取用户信息 - //curl \ - // -X GET https://[tenant_id].logto.app/api/users/{userId} \ - // -H "Authorization: Bearer $ACCESS_TOKEN" - - var userId = "4fqx4cb3438k"; - var userInfoRequest = new RestRequest($"api/users/{userId}", Method.Get) - .AddHeader("Authorization", $"Bearer {tokenResponse.AccessToken}"); - - - var userResponse = await client.ExecuteAsync(userInfoRequest); - - Console.WriteLine(userResponse.Content); - - #endregion - } - - - #endregion return ResponseOutput.Ok(); diff --git a/IRaCIS.Core.API/IRaCIS.Core.API.xml b/IRaCIS.Core.API/IRaCIS.Core.API.xml index d2bfbef62..222dde557 100644 --- a/IRaCIS.Core.API/IRaCIS.Core.API.xml +++ b/IRaCIS.Core.API/IRaCIS.Core.API.xml @@ -346,147 +346,6 @@ - - - The token names used by Cookie and OpenID Connect middleware to store and retrieve tokens from - Logto OpenID Connect provider. -
- See tokens that are stored by OpenID Connect middleware for more details. - - - - - The scope names used by Logto OpenID Connect provider to request for user information. - - - - - The scope name for requesting user's email. - Logto will issue two claims to the ID token: email and email_verified. - - - - - The scope name for requesting user's phone number. - Logto will issue two claims to the ID token: phone and phone_verified. - - - - - The scope name for requesting user's custom data. - Logto will issue a claim to the response of the userinfo endpoint: custom_data. -
- Note that when requesting this scope, you must set to true. - - - - - The scope name for requesting user's identities. - Logto will issue a claim to the response of the userinfo endpoint: identities. -
- Note that when requesting this scope, you must set to true. - - - - - The claim names used by Logto OpenID Connect provider for ID token and userinfo endpoint. - - - - - The claim name for the issuer identifier for whom issued the token. - - - - - The claim name for the subject identifier for whom the token is intended (user ID). - - - - - The claim name for the audience that the token is intended for, which is the client ID. - - - - - The claim name for the expiration time of the token (in seconds). - - - - - The claim name for the time at which the token was issued (in seconds). - - - - - The claim name for the user's full name. - - - - - The claim name for user's username. - - - - - The claim name for user's profile picture URL. - - - - - The claim name for user's email. - - - - - The claim name for user's email verification status. - - - - - The claim name for user's phone number. - - - - - The claim name for user's phone number verification status. - - - - - The claim name for user's custom data. - - - - - The claim name for user's identities. - - - - - The access token issued by the Logto authorization server. - - - - - The type of the token issued by the Logto authorization server. - - - - - The lifetime in seconds of the access token. - - - - - The refresh token, which can be used to obtain new access tokens using the same authorization grant. - - - - - The ID token, which can be used to verify the identity of the user. - - IPLimit限流 启动服务 diff --git a/IRaCIS.Core.Application/IRaCIS.Core.Application.csproj b/IRaCIS.Core.Application/IRaCIS.Core.Application.csproj index 0ee518934..1cf3fd0b9 100644 --- a/IRaCIS.Core.Application/IRaCIS.Core.Application.csproj +++ b/IRaCIS.Core.Application/IRaCIS.Core.Application.csproj @@ -32,6 +32,7 @@ + diff --git a/IRaCIS.Core.Application/IRaCIS.Core.Application.xml b/IRaCIS.Core.Application/IRaCIS.Core.Application.xml index dc9ae2fd2..dc953a52c 100644 --- a/IRaCIS.Core.Application/IRaCIS.Core.Application.xml +++ b/IRaCIS.Core.Application/IRaCIS.Core.Application.xml @@ -2340,6 +2340,153 @@ + + + 测试客户端凭证代码 + + + + + + The token names used by Cookie and OpenID Connect middleware to store and retrieve tokens from + Logto OpenID Connect provider. +
+ See tokens that are stored by OpenID Connect middleware for more details. + + + + + The scope names used by Logto OpenID Connect provider to request for user information. + + + + + The scope name for requesting user's email. + Logto will issue two claims to the ID token: email and email_verified. + + + + + The scope name for requesting user's phone number. + Logto will issue two claims to the ID token: phone and phone_verified. + + + + + The scope name for requesting user's custom data. + Logto will issue a claim to the response of the userinfo endpoint: custom_data. +
+ Note that when requesting this scope, you must set to true. + + + + + The scope name for requesting user's identities. + Logto will issue a claim to the response of the userinfo endpoint: identities. +
+ Note that when requesting this scope, you must set to true. + + + + + The claim names used by Logto OpenID Connect provider for ID token and userinfo endpoint. + + + + + The claim name for the issuer identifier for whom issued the token. + + + + + The claim name for the subject identifier for whom the token is intended (user ID). + + + + + The claim name for the audience that the token is intended for, which is the client ID. + + + + + The claim name for the expiration time of the token (in seconds). + + + + + The claim name for the time at which the token was issued (in seconds). + + + + + The claim name for the user's full name. + + + + + The claim name for user's username. + + + + + The claim name for user's profile picture URL. + + + + + The claim name for user's email. + + + + + The claim name for user's email verification status. + + + + + The claim name for user's phone number. + + + + + The claim name for user's phone number verification status. + + + + + The claim name for user's custom data. + + + + + The claim name for user's identities. + + + + + The access token issued by the Logto authorization server. + + + + + The type of the token issued by the Logto authorization server. + + + + + The lifetime in seconds of the access token. + + + + + The refresh token, which can be used to obtain new access tokens using the same authorization grant. + + + + + The ID token, which can be used to verify the identity of the user. + + 验证CRC 是否已提交 已提交 就不允许进行任何操作,如果是IQC 那么还验证是否是当前任务领取人 diff --git a/IRaCIS.Core.API/OAuth/LogotoParams.cs b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogotoParams.cs similarity index 99% rename from IRaCIS.Core.API/OAuth/LogotoParams.cs rename to IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogotoParams.cs index 0cfb61299..051c5a62d 100644 --- a/IRaCIS.Core.API/OAuth/LogotoParams.cs +++ b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogotoParams.cs @@ -1,7 +1,7 @@ using Microsoft.IdentityModel.Protocols.OpenIdConnect; using System.Text.Json.Serialization; -namespace IRaCIS.Core.API.OAuth; +namespace IRaCIS.Core.Application.Service.OAuth; diff --git a/IRaCIS.Core.API/OAuth/LogtoTokenResponse.cs b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoTokenResponse.cs similarity index 95% rename from IRaCIS.Core.API/OAuth/LogtoTokenResponse.cs rename to IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoTokenResponse.cs index 9c9dd5600..51323d93d 100644 --- a/IRaCIS.Core.API/OAuth/LogtoTokenResponse.cs +++ b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoTokenResponse.cs @@ -1,6 +1,6 @@ using System.Text.Json.Serialization; -namespace IRaCIS.Core.API.OAuth; +namespace IRaCIS.Core.Application.Service.OAuth; public class LogtoTokenResponse { diff --git a/IRaCIS.Core.API/OAuth/LogtoUser.cs b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoUser.cs similarity index 93% rename from IRaCIS.Core.API/OAuth/LogtoUser.cs rename to IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoUser.cs index 8f627f4c6..a614a9026 100644 --- a/IRaCIS.Core.API/OAuth/LogtoUser.cs +++ b/IRaCIS.Core.Application/Service/MinimalApiService/OAuth/LogtoUser.cs @@ -1,7 +1,7 @@ using Org.BouncyCastle.Tls; using System.Collections.Generic; -namespace IRaCIS.Core.API.OAuth; +namespace IRaCIS.Core.Application.Service.OAuth; public class LogtoUser { diff --git a/IRaCIS.Core.Application/Service/MinimalApiService/OAuthService.cs b/IRaCIS.Core.Application/Service/MinimalApiService/OAuthService.cs new file mode 100644 index 000000000..db9dd5f96 --- /dev/null +++ b/IRaCIS.Core.Application/Service/MinimalApiService/OAuthService.cs @@ -0,0 +1,146 @@ +using IdentityModel.Client; +using IRaCIS.Core.Application.Service.OAuth; +using Microsoft.AspNetCore.Builder; +using RestSharp; +using System; +using System.Collections.Generic; +using System.Linq; +using System.Net; +using System.Text; +using System.Text.Json; +using System.Threading.Tasks; + +namespace IRaCIS.Core.Application.Service +{ + public class OAuthService : ServiceBase + { + + + /// + /// 测试客户端凭证代码 + /// + /// + public async Task TestClientCredentialsAsync() + { + + #region 使用IdentityModel.OidcClient 测试 + + // discover endpoints from metadata + var client = new HttpClient(); + + var disco = await client.GetDiscoveryDocumentAsync("https://logto.test.extimaging.com/oidc"); + if (disco.IsError) + { + Console.WriteLine(disco.Error); + } + + // request token + var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest + { + Address = disco.TokenEndpoint, + ClientId = "v2mr2ndxwkxz0xpsuc1th", + ClientSecret = "yq9jUxl70QoOmwHxJ37h1rDoyJ5iz92Q", + Resource = new List() { "https://default.logto.app/api" }, + Scope = "all" + }); + + if (tokenResponse.IsError) + { + Console.WriteLine(tokenResponse.Error); + Console.WriteLine(tokenResponse.ErrorDescription); + } + else + { + Console.WriteLine(tokenResponse.AccessToken); + Console.WriteLine("\n\n"); + + // call api + var apiClient = new HttpClient(); + apiClient.SetBearerToken(tokenResponse.AccessToken); + + var response = await apiClient.GetAsync("https://logto.test.extimaging.com/api/applications"); + if (!response.IsSuccessStatusCode) + { + Console.WriteLine(response.StatusCode); + } + else + { + var doc = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement; + Console.WriteLine(JsonSerializer.Serialize(doc, new JsonSerializerOptions { WriteIndented = true })); + } + } + + + #endregion + + return ResponseOutput.Ok(); + + + } + + public async Task TestClientCredentialsOriginAsync() + { + #region 客户端方式获取logto 里面的信息 + { + + var baseUrl = "https://logto.test.extimaging.com"; + var appId = "v2mr2ndxwkxz0xpsuc1th"; + var appSecret = "yq9jUxl70QoOmwHxJ37h1rDoyJ5iz92Q"; + var apiAddress = "https://default.logto.app/api"; //这里是个坑 + var scope = "all"; + + var opts = new RestClientOptions(baseUrl); + using var client = new RestClient(opts); + + //https://bump.sh/logto/doc/logto-management-api/authentication + var request = new RestRequest("oidc/token", Method.Post); + request + .AddHeader("Content-Type", "application/x-www-form-urlencoded") + .AddParameter("grant_type", "client_credentials") + .AddParameter("client_id", appId) + .AddParameter("client_secret", appSecret) + .AddParameter("resource", apiAddress) //注意这里默认值地址和api 地址有区别 + .AddParameter("scope", scope); + + + var response = await client.ExecuteAsync(request); + + if (response.StatusCode == HttpStatusCode.OK) + { + var tokenResponse = response.Data; + + Console.WriteLine(tokenResponse.ToJsonStr()); + + #region 获取应用信息 + + var applicationRequest = new RestRequest($"/api/applications", Method.Get) + .AddHeader("Authorization", $"Bearer {tokenResponse.AccessToken}"); + + var applicationResponse = await client.ExecuteAsync(applicationRequest); + #endregion + + #region 获取用户信息 + //curl \ + // -X GET https://[tenant_id].logto.app/api/users/{userId} \ + // -H "Authorization: Bearer $ACCESS_TOKEN" + + var userId = "4fqx4cb3438k"; + var userInfoRequest = new RestRequest($"api/users/{userId}", Method.Get) + .AddHeader("Authorization", $"Bearer {tokenResponse.AccessToken}"); + + + var userResponse = await client.ExecuteAsync(userInfoRequest); + + Console.WriteLine(userResponse.Content); + + #endregion + } + + + } + #endregion + + return ResponseOutput.Ok(); + } + } +}