fix issue: #726

3 years ago · 1dea9bf423
4 changed files with 84 additions and 28 deletions
--- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs
+++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs
@ -3,9 +3,11 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using OpenIddict.Abstractions;
+using OpenIddict.Server;
 using OpenIddict.Server.AspNetCore;
 using System;
 using System.Collections.Generic;
+using System.Security.Principal;
 using System.Threading.Tasks;
 using Volo.Abp.DependencyInjection;
 using Volo.Abp.Identity;
@ -30,6 +32,7 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens
    {
        LazyServiceProvider = context.HttpContext.RequestServices.GetRequiredService<IAbpLazyServiceProvider>();

+        // 用户需要传递身份令牌
        var accessTokenParam = context.Request.GetParameter("access_token");
        var accessToken = accessTokenParam.ToString();
        if (accessToken.IsNullOrWhiteSpace())
@ -43,26 +46,47 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens
            return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
        }

-        await foreach (var result in TokenManager.ValidateAsync(accessToken))
+        // 通过身份令牌得到用户信息
+        var transaction = await context.HttpContext.RequestServices.GetRequiredService<IOpenIddictServerFactory>().CreateTransactionAsync();
+        transaction.EndpointType = OpenIddictServerEndpointType.Userinfo;
+        transaction.Request = new OpenIddictRequest
        {
-            var properties = new AuthenticationProperties(new Dictionary<string, string>
-            {
-                [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant,
-                [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = result.ErrorMessage
-            });
-
-            return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
-        }
+            ClientId = context.Request.ClientId,
+            ClientSecret = context.Request.ClientSecret,
+            AccessToken = accessToken
+        };

-        var userId = await TokenManager.GetIdAsync(accessToken);
-        var user = await UserManager.FindByIdAsync(userId);
-        var principal = await SignInManager.CreateUserPrincipalAsync(user);
+        var notification = new OpenIddictServerEvents.ProcessAuthenticationContext(transaction);
+        var dispatcher = context.HttpContext.RequestServices.GetRequiredService<IOpenIddictServerDispatcher>();
+        await dispatcher.DispatchAsync(notification);

-        principal.SetScopes(context.Request.GetScopes());
-        principal.SetResources(await GetResourcesAsync(context.Request.GetScopes()));
+        if (notification.IsRejected)
+        {
+            return Forbid(
+                new AuthenticationProperties(new Dictionary<string, string>
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = notification.Error ?? OpenIddictConstants.Errors.InvalidRequest,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = notification.ErrorDescription,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorUri] = notification.ErrorUri
+                }),
+                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+        }

-        await SetClaimsDestinationsAsync(principal);
+        var principal = notification.Principal;
+        if (principal == null)
+        {
+            return Forbid(
+                new AuthenticationProperties(new Dictionary<string, string>
+                {
+                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = notification.Error ?? OpenIddictConstants.Errors.InvalidRequest,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = notification.ErrorDescription,
+                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorUri] = notification.ErrorUri
+                }),
+                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
+        }

+        var userId = principal.FindUserId();
+        // 交换令牌
        using (CurrentPrincipalAccessor.Change(principal))
        {
            var linkUserIdParam = context.Request.GetParameter("LinkUserId");
@ -96,7 +120,7 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens
            }

            var isLinked = await IdentityLinkUserManager.IsLinkedAsync(
-                new IdentityLinkUserInfo(user.Id, CurrentTenant.Id),
+                new IdentityLinkUserInfo(userId.Value, CurrentTenant.Id),
                new IdentityLinkUserInfo(linkUserId, linkTenantId));

            if (isLinked)
--- a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs
+++ b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs
@ -16,6 +16,7 @@ using StackExchange.Redis;
 using System;
 using System.IO;
 using System.Linq;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text.Encodings.Web;
 using System.Text.Unicode;
@ -122,6 +123,40 @@ public partial class AuthServerModule
                });
            }
        }
+        else
+        {
+            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
+            {
+                //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                options.AddDevelopmentEncryptionAndSigningCertificate = false;
+            });
+
+            PreConfigure<OpenIddictServerBuilder>(builder =>
+            {
+                //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                using (var algorithm = RSA.Create(keySizeInBits: 2048))
+                {
+                    var subject = new X500DistinguishedName("CN=Fabrikam Encryption Certificate");
+                    var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                    request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
+                    var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+                    builder.AddSigningCertificate(certificate);
+                }
+
+                using (var algorithm = RSA.Create(keySizeInBits: 2048))
+                {
+                    var subject = new X500DistinguishedName("CN=Fabrikam Signing Certificate");
+                    var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+                    request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
+                    var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+                    builder.AddEncryptionCertificate(certificate);
+                }
+
+                // 禁用https
+                builder.UseAspNetCore()
+                    .DisableTransportSecurityRequirement();
+            });
+        }
    }

    private void ConfigureDbContext()
--- a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs
+++ b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs
@ -30,6 +30,7 @@ using Volo.Abp.Caching.StackExchangeRedis;
 using Volo.Abp.EntityFrameworkCore.MySQL;
 using Volo.Abp.FeatureManagement.EntityFrameworkCore;
 using Volo.Abp.Identity;
+using Volo.Abp.Identity.AspNetCore;
 using Volo.Abp.Modularity;
 using Volo.Abp.OpenIddict.EntityFrameworkCore;
 using Volo.Abp.PermissionManagement.EntityFrameworkCore;
@ -50,7 +51,7 @@ namespace LY.MicroService.AuthServer;
    typeof(AbpEntityFrameworkCoreMySQLModule),
    typeof(AbpIdentityEntityFrameworkCoreModule),
    typeof(AbpIdentityApplicationModule),
-    // typeof(AbpIdentityHttpApiModule),
+    typeof(AbpIdentityAspNetCoreModule),
    typeof(AbpOpenIddictEntityFrameworkCoreModule),
    typeof(AbpOpenIddictSmsModule),
    typeof(AbpOpenIddictWeChatModule),
--- a/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json
+++ b/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json
@ -63,20 +63,16 @@
    "Authority": "http://127.0.0.1:44385/",
    "ApiName": "lingyun-abp-application"
  },
-  "IdentityServer": {
-    "Clients": {
-      "AuthManagement": {
-        "ClientId": "auth-management",
-        "RootUrl": "http://127.0.0.1:44313/"
-      },
+  "OpenIddict": {
+    "Applications": {
      "AuthVueAdmin": {
-        "ClientId": "vue-admin-client"
-      },
-      "AuthOldVueAdmin": {
-        "ClientId": "vue-admin-element"
+        "ClientId": "vue-admin-client",
+        "ClientSecret": "1q2w3e*",
+        "RootUrl": "http://127.0.0.1:3100/"
      },
      "InternalService": {
-        "ClientId": "InternalServiceClient"
+        "ClientId": "InternalServiceClient",
+        "ClientSecret": "1q2w3e*"
      }
    }
  },