From 1dea9bf4234d39b8906c08c38f231589d9111204 Mon Sep 17 00:00:00 2001 From: cKey <35512826+colinin@users.noreply.github.com> Date: Tue, 13 Dec 2022 16:47:53 +0800 Subject: [PATCH] fix issue: #726 --- .../Controllers/TokenController.LinkUser.cs | 56 +++++++++++++------ .../AuthServerModule.Configure.cs | 35 ++++++++++++ .../AuthServerModule.cs | 3 +- .../appsettings.Development.json | 18 +++--- 4 files changed, 84 insertions(+), 28 deletions(-) diff --git a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs index 873181490..3f0b51dba 100644 --- a/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs +++ b/aspnet-core/modules/openIddict/LINGYUN.Abp.OpenIddict.LinkUser/LINGYUN/Abp/OpenIddict/LinkUser/Controllers/TokenController.LinkUser.cs @@ -3,9 +3,11 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using OpenIddict.Abstractions; +using OpenIddict.Server; using OpenIddict.Server.AspNetCore; using System; using System.Collections.Generic; +using System.Security.Principal; using System.Threading.Tasks; using Volo.Abp.DependencyInjection; using Volo.Abp.Identity; @@ -30,6 +32,7 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens { LazyServiceProvider = context.HttpContext.RequestServices.GetRequiredService(); + // 用户需要传递身份令牌 var accessTokenParam = context.Request.GetParameter("access_token"); var accessToken = accessTokenParam.ToString(); if (accessToken.IsNullOrWhiteSpace()) @@ -43,26 +46,47 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); } - await foreach (var result in TokenManager.ValidateAsync(accessToken)) + // 通过身份令牌得到用户信息 + var transaction = await context.HttpContext.RequestServices.GetRequiredService().CreateTransactionAsync(); + transaction.EndpointType = OpenIddictServerEndpointType.Userinfo; + transaction.Request = new OpenIddictRequest { - var properties = new AuthenticationProperties(new Dictionary - { - [OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.InvalidGrant, - [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = result.ErrorMessage - }); - - return Forbid(properties, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); - } + ClientId = context.Request.ClientId, + ClientSecret = context.Request.ClientSecret, + AccessToken = accessToken + }; - var userId = await TokenManager.GetIdAsync(accessToken); - var user = await UserManager.FindByIdAsync(userId); - var principal = await SignInManager.CreateUserPrincipalAsync(user); + var notification = new OpenIddictServerEvents.ProcessAuthenticationContext(transaction); + var dispatcher = context.HttpContext.RequestServices.GetRequiredService(); + await dispatcher.DispatchAsync(notification); - principal.SetScopes(context.Request.GetScopes()); - principal.SetResources(await GetResourcesAsync(context.Request.GetScopes())); + if (notification.IsRejected) + { + return Forbid( + new AuthenticationProperties(new Dictionary + { + [OpenIddictServerAspNetCoreConstants.Properties.Error] = notification.Error ?? OpenIddictConstants.Errors.InvalidRequest, + [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = notification.ErrorDescription, + [OpenIddictServerAspNetCoreConstants.Properties.ErrorUri] = notification.ErrorUri + }), + OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); + } - await SetClaimsDestinationsAsync(principal); + var principal = notification.Principal; + if (principal == null) + { + return Forbid( + new AuthenticationProperties(new Dictionary + { + [OpenIddictServerAspNetCoreConstants.Properties.Error] = notification.Error ?? OpenIddictConstants.Errors.InvalidRequest, + [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = notification.ErrorDescription, + [OpenIddictServerAspNetCoreConstants.Properties.ErrorUri] = notification.ErrorUri + }), + OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); + } + var userId = principal.FindUserId(); + // 交换令牌 using (CurrentPrincipalAccessor.Change(principal)) { var linkUserIdParam = context.Request.GetParameter("LinkUserId"); @@ -96,7 +120,7 @@ public class LinkUserTokenController : AbpOpenIdDictControllerBase, ITokenExtens } var isLinked = await IdentityLinkUserManager.IsLinkedAsync( - new IdentityLinkUserInfo(user.Id, CurrentTenant.Id), + new IdentityLinkUserInfo(userId.Value, CurrentTenant.Id), new IdentityLinkUserInfo(linkUserId, linkTenantId)); if (isLinked) diff --git a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs index 22887d99b..49ccbeda6 100644 --- a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs +++ b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.Configure.cs @@ -16,6 +16,7 @@ using StackExchange.Redis; using System; using System.IO; using System.Linq; +using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text.Encodings.Web; using System.Text.Unicode; @@ -122,6 +123,40 @@ public partial class AuthServerModule }); } } + else + { + PreConfigure(options => + { + //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html + options.AddDevelopmentEncryptionAndSigningCertificate = false; + }); + + PreConfigure(builder => + { + //https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html + using (var algorithm = RSA.Create(keySizeInBits: 2048)) + { + var subject = new X500DistinguishedName("CN=Fabrikam Encryption Certificate"); + var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); + request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true)); + var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2)); + builder.AddSigningCertificate(certificate); + } + + using (var algorithm = RSA.Create(keySizeInBits: 2048)) + { + var subject = new X500DistinguishedName("CN=Fabrikam Signing Certificate"); + var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); + request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true)); + var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2)); + builder.AddEncryptionCertificate(certificate); + } + + // 禁用https + builder.UseAspNetCore() + .DisableTransportSecurityRequirement(); + }); + } } private void ConfigureDbContext() diff --git a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs index eea691e36..ab8e6ba32 100644 --- a/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs +++ b/aspnet-core/services/LY.MicroService.AuthServer/AuthServerModule.cs @@ -30,6 +30,7 @@ using Volo.Abp.Caching.StackExchangeRedis; using Volo.Abp.EntityFrameworkCore.MySQL; using Volo.Abp.FeatureManagement.EntityFrameworkCore; using Volo.Abp.Identity; +using Volo.Abp.Identity.AspNetCore; using Volo.Abp.Modularity; using Volo.Abp.OpenIddict.EntityFrameworkCore; using Volo.Abp.PermissionManagement.EntityFrameworkCore; @@ -50,7 +51,7 @@ namespace LY.MicroService.AuthServer; typeof(AbpEntityFrameworkCoreMySQLModule), typeof(AbpIdentityEntityFrameworkCoreModule), typeof(AbpIdentityApplicationModule), - // typeof(AbpIdentityHttpApiModule), + typeof(AbpIdentityAspNetCoreModule), typeof(AbpOpenIddictEntityFrameworkCoreModule), typeof(AbpOpenIddictSmsModule), typeof(AbpOpenIddictWeChatModule), diff --git a/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json b/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json index 7079f6a68..67e35b499 100644 --- a/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json +++ b/aspnet-core/services/LY.MicroService.AuthServer/appsettings.Development.json @@ -63,20 +63,16 @@ "Authority": "http://127.0.0.1:44385/", "ApiName": "lingyun-abp-application" }, - "IdentityServer": { - "Clients": { - "AuthManagement": { - "ClientId": "auth-management", - "RootUrl": "http://127.0.0.1:44313/" - }, + "OpenIddict": { + "Applications": { "AuthVueAdmin": { - "ClientId": "vue-admin-client" - }, - "AuthOldVueAdmin": { - "ClientId": "vue-admin-element" + "ClientId": "vue-admin-client", + "ClientSecret": "1q2w3e*", + "RootUrl": "http://127.0.0.1:3100/" }, "InternalService": { - "ClientId": "InternalServiceClient" + "ClientId": "InternalServiceClient", + "ClientSecret": "1q2w3e*" } } },