tsai
/
abp-next-admin2
mirror of https://github.com/colinin/abp-next-admin.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

feat(oauth): Rewrite the user authorize page 

- 重写OpenIddict授权同意页,允许用户勾选授权范围
pull/1416/head
colin 2 months ago
parent
656db9f616
commit
495d51d6b6
38 changed files with 1045 additions and 512 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      apps/vben5/apps/app-antd/src/locales/langs/en-US/abp.json
  2. 3
      apps/vben5/apps/app-antd/src/locales/langs/zh-CN/abp.json
  3. 2
      apps/vben5/apps/app-antd/src/router/routes/core.ts
  4. 6
      apps/vben5/apps/app-antd/src/store/auth.ts
  5. 16
      apps/vben5/apps/app-antd/src/views/_core/fallback/login-callback.vue
  6. 12
      apps/vben5/packages/@abp/account/src/hooks/useOAuthError.ts
  7. 50
      apps/vben5/packages/@abp/openiddict/src/components/scopes/ScopeModal.vue
  8. 11
      aspnet-core/LINGYUN.MicroService.SingleProject.sln
  9. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.AdminService/appsettings.Development.json
  10. 10
      aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/ApiGatewayModule.cs
  11. 2
      aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/Program.cs
  12. 6
      aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/appsettings.Development.json
  13. 95
      aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/yarp.json
  14. 16
      aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/AuthServerModule.Configure.cs
  15. 10
      aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/appsettings.Development.json
  16. 6
      aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/package.json
  17. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.IdentityService/appsettings.Development.json
  18. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.LocalizationService/appsettings.Development.json
  19. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.MessageService/appsettings.Development.json
  20. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.PlatformService/appsettings.Development.json
  21. 7
      aspnet-core/aspire/LINGYUN.Abp.MicroService.TaskService/appsettings.Development.json
  22. 6
      aspnet-core/aspire/LINGYUN.Abp.MicroService.WeChatService/appsettings.Development.json
  23. 3
      aspnet-core/aspire/LINGYUN.Abp.MicroService.WebhookService/appsettings.Development.json
  24. 4
      aspnet-core/aspire/LINGYUN.Abp.MicroService.WorkflowService/appsettings.Development.json
  25. 25
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/AbpAccountWebOpenIddictModule.cs
  26. 338
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Controllers/AuthorizeController.cs
  27. 8
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/LINGYUN.Abp.Account.Web.OpenIddict.csproj
  28. 6
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Localization/Resources/en.json
  29. 6
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Localization/Resources/zh-Hans.json
  30. 23
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/ViewModels/Authorize/AuthorizeViewModel.cs
  31. 90
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/Authorize/Authorize.cshtml
  32. 29
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/Authorize/Authorize.js
  33. 4
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/_ViewImports.cshtml
  34. 1
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web/AbpAccountWebModule.cs
  35. 7
      aspnet-core/modules/account/LINGYUN.Abp.Account.Web/Pages/Account/Login.cshtml
  36. 2
      aspnet-core/services/LY.MicroService.Applications.Single/MicroServiceApplicationsSingleModule.Configure.cs
  37. 3
      aspnet-core/services/LY.MicroService.Applications.Single/appsettings.Development.json

3
apps/vben5/apps/app-antd/src/locales/langs/en-US/abp.json
View File

@ -18,7 +18,8 @@
"invalidUserNameOrPassword": "Invalid username or password!",
"tokenHasExpired": "The token is no longer valid!",
"requiresTwoFactor": "Identity verification is required. Please select a verification method!",
"shouldChangePassword": "Your password has expired. Please change it and login!"
"shouldChangePassword": "Your password has expired. Please change it and login!",
"accessDenied": "You have refused the necessary authorization for the application. Please log in again!"
}
},
"manage": {

3
apps/vben5/apps/app-antd/src/locales/langs/zh-CN/abp.json
View File

@ -18,7 +18,8 @@
"invalidUserNameOrPassword": "用户名或密码错误!",
"tokenHasExpired": "您的请求会话已过期,请重新登录!",
"requiresTwoFactor": "需要验证身份,请选择一种验证方式!",
"shouldChangePassword": "您的密码已过期,请修改密码后登录!"
"shouldChangePassword": "您的密码已过期,请修改密码后登录!",
"accessDenied": "您拒绝了应用程序必须的授权, 请重新登录!"
}
},
"manage": {

2
apps/vben5/apps/app-antd/src/router/routes/core.ts
View File

@ -28,7 +28,7 @@ const coreRoutes: RouteRecordRaw[] = [
hideInBreadcrumb: true,
hideInMenu: true,
hideInTab: true,
title: 'Processing login',
title: $t('page.auth.processingLogin'),
},
name: 'OidcFallback',
path: '/signin-callback',

6
apps/vben5/apps/app-antd/src/store/auth.ts
View File

@ -1,4 +1,4 @@
import type { TokenResult } from '@abp/account';
import type { OAuthError, TokenResult } from '@abp/account';
import type { Recordable, UserInfo } from '@vben/types';
@ -45,7 +45,7 @@ export const useAuthStore = defineStore('auth', () => {
await oAuthService.login();
}
async function oidcCallback() {
async function oidcCallback(onError?: (error: OAuthError) => void) {
try {
const user = await oAuthService.handleCallback();
return await _loginSuccess({
@ -55,6 +55,8 @@ export const useAuthStore = defineStore('auth', () => {
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
expiresIn: user.expires_in!,
});
} catch (error: any) {
onError && onError(error as OAuthError);
} finally {
loginLoading.value = false;
}

16
apps/vben5/apps/app-antd/src/views/_core/fallback/login-callback.vue
View File

@ -1,12 +1,26 @@
<script lang="ts" setup>
import { onMounted } from 'vue';
import { useOAuthError } from '@abp/account';
import { Modal } from 'ant-design-vue';
import { useAuthStore } from '#/store/auth';
const { formatError } = useOAuthError();
const authStore = useAuthStore();
onMounted(async () => {
await authStore.oidcCallback();
await authStore.oidcCallback((error) => {
Modal.warn({
centered: true,
maskClosable: false,
closable: false,
title: formatError(error),
onOk: () => {
authStore.logout();
},
});
});
});
</script>

12
apps/vben5/packages/@abp/account/src/hooks/useOAuthError.ts
View File

@ -1,10 +1,6 @@
import { $t } from '@vben/locales';
import type { OAuthError } from '../types/token';
interface OAuthError {
error: string;
error_description?: string;
error_uri?: string;
}
import { $t } from '@vben/locales';
export function useOAuthError() {
function formatError(error: OAuthError) {
@ -22,6 +18,10 @@ export function useOAuthError() {
case 'RequiresTwoFactor': {
return $t('abp.oauth.errors.requiresTwoFactor');
}
// 用户拒绝授权
case 'The authorization was denied by the end user.': {
return $t('abp.oauth.errors.accessDenied');
}
// Token已失效
case 'The token is no longer valid.':
case 'The user is no longer allowed to sign in.': {

50
apps/vben5/packages/@abp/openiddict/src/components/scopes/ScopeModal.vue
View File

@ -1,20 +1,17 @@
<script setup lang="ts">
import type { OpenIdConfiguration } from '@abp/core';
import type { FormInstance } from 'ant-design-vue';
import type { TransferItem } from 'ant-design-vue/es/transfer';
import type { OpenIddictScopeDto } from '../../types/scopes';
import type { DisplayNameInfo } from '../display-names/types';
import type { PropertyInfo } from '../properties/types';
import { computed, defineEmits, defineOptions, ref, toValue } from 'vue';
import { defineEmits, defineOptions, ref, toValue } from 'vue';
import { useVbenModal } from '@vben/common-ui';
import { $t } from '@vben/locales';
import { Form, Input, message, Tabs, Transfer } from 'ant-design-vue';
import { Form, Input, message, Select, Tabs } from 'ant-design-vue';
import { useOpenIdApi } from '../../api/useOpenIdApi';
import { useScopesApi } from '../../api/useScopesApi';
import DisplayNameTable from '../display-names/DisplayNameTable.vue';
import PropertyTable from '../properties/PropertyTable.vue';
@ -41,20 +38,8 @@ const defaultModel = {} as OpenIddictScopeDto;
const form = ref<FormInstance>();
const formModel = ref<OpenIddictScopeDto>({ ...defaultModel });
const openIdConfiguration = ref<OpenIdConfiguration>();
const activeTab = ref<TabKeys>('basic');
const getSupportClaims = computed((): TransferItem[] => {
const types = openIdConfiguration.value?.claims_supported ?? [];
return types.map((type) => {
return {
key: type,
title: type,
};
});
});
const { discoveryApi } = useOpenIdApi();
const { cancel, createApi, getApi, updateApi } = useScopesApi();
const [Modal, modalApi] = useVbenModal({
class: 'w-1/2',
@ -91,7 +76,6 @@ const [Modal, modalApi] = useVbenModal({
});
try {
modalApi.setState({ loading: true });
await onDiscovery();
const { id } = modalApi.getData<OpenIddictScopeDto>();
id && (await onGet(id));
} finally {
@ -108,9 +92,6 @@ async function onGet(id: string) {
title: `${$t('AbpOpenIddict.Scopes')} - ${dto.name}`,
});
}
async function onDiscovery() {
openIdConfiguration.value = await discoveryApi();
}
function onDescriptionChange(displayName: DisplayNameInfo) {
formModel.value.descriptions ??= {};
formModel.value.descriptions[displayName.culture] = displayName.displayName;
@ -155,6 +136,16 @@ function onPropDelete(prop: PropertyInfo) {
>
<Input v-model:value="formModel.name" autocomplete="off" />
</FormItem>
<FormItem
:label="$t('AbpOpenIddict.DisplayName:Resources')"
name="resources"
>
<Select
allow-clear
v-model:value="formModel.resources"
mode="tags"
/>
</FormItem>
</TabPane>
<!-- 显示名称 -->
<TabPane key="dispalyName" :tab="$t('AbpOpenIddict.DisplayNames')">
@ -184,23 +175,6 @@ function onPropDelete(prop: PropertyInfo) {
@delete="onDescriptionDelete"
/>
</TabPane>
<!-- 资源 -->
<TabPane key="resource" :tab="$t('AbpOpenIddict.Resources')">
<Transfer
v-model:target-keys="formModel.resources"
:data-source="getSupportClaims"
:list-style="{
width: '47%',
height: '338px',
}"
:render="(item) => item.title"
:titles="[
$t('AbpOpenIddict.Assigned'),
$t('AbpOpenIddict.Available'),
]"
class="tree-transfer"
/>
</TabPane>
<!-- 属性 -->
<TabPane key="props" :tab="$t('AbpOpenIddict.Propertites')">
<PropertyTable

11
aspnet-core/LINGYUN.MicroService.SingleProject.sln
View File

@ -1,6 +1,6 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 18
VisualStudioVersion = 18.0.11205.157
# Visual Studio Version 17
VisualStudioVersion = 17.14.36616.10 d17.14
MinimumVisualStudioVersion = 10.0.40219.1
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "modules", "modules", "{0B58AA48-665A-443F-A6A8-751FB9629DAF}"
EndProject
@ -496,8 +496,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.AspNetCore.Mvc.
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.AspNetCore.Wrapper", "framework\common\LINGYUN.Abp.AspNetCore.Wrapper\LINGYUN.Abp.AspNetCore.Wrapper.csproj", "{FDBA1B4A-CC5D-4710-AB8C-FA5A91B91BDE}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.OpenIddict.AspNetCore", "modules\openIddict\LINGYUN.Abp.OpenIddict.AspNetCore\LINGYUN.Abp.OpenIddict.AspNetCore.csproj", "{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.WeChat.Official.Application.Contracts", "framework\wechat\LINGYUN.Abp.WeChat.Official.Application.Contracts\LINGYUN.Abp.WeChat.Official.Application.Contracts.csproj", "{B7F866FF-8C8F-4C7D-9084-E0C206F1F26F}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.WeChat.Official.Application", "framework\wechat\LINGYUN.Abp.WeChat.Official.Application\LINGYUN.Abp.WeChat.Official.Application.csproj", "{E957DB2E-589D-4310-9576-92F108A67CE7}"
@ -1488,10 +1486,6 @@ Global
{FDBA1B4A-CC5D-4710-AB8C-FA5A91B91BDE}.Debug|Any CPU.Build.0 = Debug|Any CPU
{FDBA1B4A-CC5D-4710-AB8C-FA5A91B91BDE}.Release|Any CPU.ActiveCfg = Release|Any CPU
{FDBA1B4A-CC5D-4710-AB8C-FA5A91B91BDE}.Release|Any CPU.Build.0 = Release|Any CPU
{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861}.Release|Any CPU.Build.0 = Release|Any CPU
{B7F866FF-8C8F-4C7D-9084-E0C206F1F26F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{B7F866FF-8C8F-4C7D-9084-E0C206F1F26F}.Debug|Any CPU.Build.0 = Debug|Any CPU
{B7F866FF-8C8F-4C7D-9084-E0C206F1F26F}.Release|Any CPU.ActiveCfg = Release|Any CPU
@ -2111,7 +2105,6 @@ Global
{3690518A-D6C3-42CC-AEC2-6D48C6987F68} = {5531E2F2-2FC2-45A0-93C7-7FC6F6A4F0AD}
{0D34162C-0CE3-4D7B-B19A-4786C616D0B3} = {5531E2F2-2FC2-45A0-93C7-7FC6F6A4F0AD}
{FDBA1B4A-CC5D-4710-AB8C-FA5A91B91BDE} = {40A9F0DB-66AA-42A8-8670-9DD6DA992103}
{6026DAE3-F2AD-4F6B-99EF-EEAAA5873861} = {7C714185-D3D9-4D94-B5CB-D857A0091F04}
{B7F866FF-8C8F-4C7D-9084-E0C206F1F26F} = {91867618-0D86-4410-91C6-B1166A9ACDF9}
{E957DB2E-589D-4310-9576-92F108A67CE7} = {91867618-0D86-4410-91C6-B1166A9ACDF9}
{4DEFD1AB-C8CD-4240-B4C7-1C8EA4286B2A} = {91867618-0D86-4410-91C6-B1166A9ACDF9}

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.AdminService/appsettings.Development.json
View File

@ -51,7 +51,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "admin-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

10
aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/ApiGatewayModule.cs
View File

@ -64,15 +64,7 @@ public class ApiGatewayModule : AbpModule
authority: configuration["AuthServer:Authority"],
scopes: new Dictionary<string, string>
{
{"Account", "Account API"},
{"Identity", "Identity API"},
{"IdentityServer", "Identity Server API"},
{"BackendAdmin", "Backend Admin API"},
{"Localization", "Localization API"},
{"Platform", "Platform API"},
{"RealtimeMessage", "RealtimeMessage API"},
{"TaskManagement", "Task Management API"},
{"Webhooks", "Webhooks API"},
{ configuration["AuthServer:Audience"], "Api Gateway API"}
},
options =>
{

2
aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/Program.cs
View File

@ -103,7 +103,7 @@ try
clusterGroup.Value.Metadata.TryGetValue("SwaggerEndpoint", out var address) &&
!address.IsNullOrWhiteSpace())
{
options.SwaggerEndpoint($"{address}/swagger/v1/swagger.json", $"{routeConfig.RouteId} API");
options.SwaggerEndpoint($"{address}/swagger/v1/swagger.json", $"{routeConfig.ClusterId} API");
}
options.OAuthClientId(configuration["AuthServer:SwaggerClientId"]);
options.OAuthClientSecret(configuration["AuthServer:SwaggerClientSecret"]);

6
aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/appsettings.Development.json
View File

@ -16,9 +16,11 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "api-gateway",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"
},
"Logging": {
"Serilog": {

95
aspnet-core/aspire/LINGYUN.Abp.MicroService.ApiGateway/yarp.json
View File

@ -2,7 +2,7 @@
"ReverseProxy": {
"Routes": {
"abp-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/abp/{**everything}"
},
@ -23,7 +23,7 @@
}
]
},
"auth-wellknown-route": {
"oidc-discovery-route": {
"ClusterId": "auth-server-cluster",
"Match": {
"Path": "/.well-known/{**everything}"
@ -38,7 +38,7 @@
}
]
},
"auth-server-route": {
"oidc-token-route": {
"ClusterId": "auth-server-cluster",
"Match": {
"Path": "/connect/{**everything}"
@ -53,7 +53,7 @@
}
]
},
"external-logins-route": {
"account-external-logins-route": {
"ClusterId": "auth-server-cluster",
"Match": {
"Path": "/api/account/external-logins/{**everything}"
@ -68,7 +68,7 @@
}
]
},
"oauth-route": {
"account-oauth-route": {
"ClusterId": "auth-server-cluster",
"Match": {
"Path": "/api/account/oauth/{**everything}"
@ -83,7 +83,7 @@
}
]
},
"qrcode-route": {
"account-qrcode-route": {
"ClusterId": "auth-server-cluster",
"Match": {
"Path": "/api/account/qrcode/{**everything}"
@ -99,7 +99,7 @@
]
},
"account-route": {
"ClusterId": "auth-server-api-cluster",
"ClusterId": "identity-service-cluster",
"Match": {
"Path": "/api/account/{**everything}"
},
@ -114,7 +114,7 @@
]
},
"identity-route": {
"ClusterId": "auth-server-api-cluster",
"ClusterId": "identity-service-cluster",
"Match": {
"Path": "/api/identity/{**everything}"
},
@ -129,7 +129,7 @@
]
},
"identity-server-route": {
"ClusterId": "auth-server-api-cluster",
"ClusterId": "identity-service-cluster",
"Match": {
"Path": "/api/identity-server/{**everything}"
},
@ -144,7 +144,7 @@
]
},
"openiddict-route": {
"ClusterId": "auth-server-api-cluster",
"ClusterId": "identity-service-cluster",
"Match": {
"Path": "/api/openiddict/{**everything}"
},
@ -159,7 +159,7 @@
]
},
"cache-management-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/caching-management/{**everything}"
},
@ -174,7 +174,7 @@
]
},
"saas-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/saas/{**everything}"
},
@ -189,7 +189,7 @@
]
},
"auditing-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/auditing/{**everything}"
},
@ -204,7 +204,7 @@
]
},
"data-protected-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/data-protection-management/{**everything}"
},
@ -219,7 +219,7 @@
]
},
"text-template-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/text-templating/{**everything}"
},
@ -234,7 +234,7 @@
]
},
"feature-management-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/feature-management/{**everything}"
},
@ -249,7 +249,7 @@
]
},
"permission-management-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/permission-management/{**everything}"
},
@ -264,7 +264,7 @@
]
},
"setting-management-route": {
"ClusterId": "admin-api-cluster",
"ClusterId": "admin-service-cluster",
"Match": {
"Path": "/api/setting-management/{**everything}"
},
@ -279,7 +279,7 @@
]
},
"localization-management-route": {
"ClusterId": "localization-api-cluster",
"ClusterId": "localization-service-cluster",
"Match": {
"Path": "/api/localization/{**everything}"
},
@ -294,7 +294,7 @@
]
},
"im-route": {
"ClusterId": "messages-api-cluster",
"ClusterId": "messages-service-cluster",
"Match": {
"Path": "/api/im/{**everything}"
},
@ -309,7 +309,7 @@
]
},
"notifications-route": {
"ClusterId": "messages-api-cluster",
"ClusterId": "messages-service-cluster",
"Match": {
"Path": "/api/notifications/{**everything}"
},
@ -323,8 +323,8 @@
}
]
},
"signalr-route": {
"ClusterId": "messages-api-cluster",
"signalr-hubs-route": {
"ClusterId": "messages-service-cluster",
"Match": {
"Path": "/signalr-hubs/{**everything}"
},
@ -344,8 +344,8 @@
}
]
},
"webhooks-management-route": {
"ClusterId": "webhooks-api-cluster",
"webhooks-route": {
"ClusterId": "webhooks-service-cluster",
"Match": {
"Path": "/api/webhooks/{**everything}"
},
@ -360,7 +360,7 @@
]
},
"task-management-route": {
"ClusterId": "tasks-api-cluster",
"ClusterId": "task-service-cluster",
"Match": {
"Path": "/api/task-management/{**everything}"
},
@ -375,7 +375,7 @@
]
},
"platform-route": {
"ClusterId": "platform-api-cluster",
"ClusterId": "platform-service-cluster",
"Match": {
"Path": "/api/platform/{**everything}"
},
@ -389,8 +389,8 @@
}
]
},
"oss-route": {
"ClusterId": "platform-api-cluster",
"oss-management-route": {
"ClusterId": "platform-service-cluster",
"Match": {
"Path": "/api/oss-management/{**everything}"
},
@ -405,7 +405,7 @@
]
},
"files-route": {
"ClusterId": "platform-api-cluster",
"ClusterId": "platform-service-cluster",
"Match": {
"Path": "/api/files/{**everything}"
},
@ -420,7 +420,7 @@
]
},
"wechat-route": {
"ClusterId": "wechat-api-cluster",
"ClusterId": "wechat-service-cluster",
"Match": {
"Path": "/api/wechat/{**everything}"
},
@ -433,6 +433,21 @@
"ResponseHeadersAllowed": "_AbpWrapResult;_AbpDontWrapResult;_AbpErrorFormat"
}
]
},
"elsa-route": {
"ClusterId": "workflow-service-cluster",
"Match": {
"Path": "/elsa/{**everything}"
},
"Transforms": [
{
"HeaderPrefix": "X-Forwarded-",
"X-Forwarded": "Append"
},
{
"ResponseHeadersAllowed": "_AbpWrapResult;_AbpDontWrapResult;_AbpErrorFormat"
}
]
}
},
"Clusters": {
@ -443,7 +458,7 @@
}
}
},
"auth-server-api-cluster": {
"identity-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30015",
@ -453,7 +468,7 @@
}
}
},
"admin-api-cluster": {
"admin-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30010",
@ -463,7 +478,7 @@
}
}
},
"localization-api-cluster": {
"localization-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30030",
@ -473,7 +488,7 @@
}
}
},
"messages-api-cluster": {
"messages-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30020",
@ -483,7 +498,7 @@
}
}
},
"webhooks-api-cluster": {
"webhooks-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30045",
@ -493,7 +508,7 @@
}
}
},
"tasks-api-cluster": {
"task-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30040",
@ -503,7 +518,7 @@
}
}
},
"platform-api-cluster": {
"platform-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30025",
@ -513,7 +528,7 @@
}
}
},
"workflow-api-cluster": {
"workflow-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30050",
@ -523,7 +538,7 @@
}
}
},
"wechat-api-cluster": {
"wechat-service-cluster": {
"Destinations": {
"destination1": {
"Address": "http://localhost:30060",

16
aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/AuthServerModule.Configure.cs
View File

@ -37,6 +37,9 @@ using System.Linq;
using System.Text.Encodings.Web;
using System.Text.Unicode;
using Volo.Abp.AspNetCore.Mvc;
using Volo.Abp.AspNetCore.Mvc.UI.Bundling;
using Volo.Abp.AspNetCore.Mvc.UI.Theme.LeptonXLite.Bundling;
using Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Bundling;
using Volo.Abp.Auditing;
using Volo.Abp.BlobStoring;
using Volo.Abp.Caching;
@ -166,6 +169,15 @@ public partial class AuthServerModule
{
options.ExposeIntegrationServices = true;
});
Configure<AbpBundlingOptions>(options =>
{
options.StyleBundles
.Configure(LeptonXLiteThemeBundles.Styles.Global, bundle =>
{
bundle.AddFiles("/css/global-styles.css");
});
});
}
private void ConfigureDataSeeder()
@ -392,10 +404,6 @@ public partial class AuthServerModule
options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
}
});
//.AddWeChatWork(options =>
//{
// options.SignInScheme = IdentityConstants.ExternalScheme;
//});
services
.AddDataProtection()

10
aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/appsettings.Development.json
View File

@ -47,7 +47,7 @@
}
},
"ConnectionStrings": {
"Default": "Host=127.0.0.1;Database=abp;Username=postgres;Password=123456"
"Default": "Host=localhost;Database=abp;Username=postgres;Password=123456"
},
"CAP": {
"EventBus": {
@ -59,7 +59,7 @@
},
"PostgreSql": {
"TableNamePrefix": "auth",
"ConnectionString": "Host=127.0.0.1;Database=abp;Username=postgres;Password=123456"
"ConnectionString": "Host=localhost;Database=abp;Username=postgres;Password=123456"
},
"RabbitMQ": {
"HostName": "localhost",
@ -88,7 +88,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "auth-server",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false
},
@ -97,7 +98,7 @@
"VueAdmin": {
"ClientId": "vue-admin-client",
"ClientSecret": "1q2w3e*",
"RootUrl": "http://localhost:5666/"
"RootUrls": ["http://localhost:5666"]
},
"InternalService": {
"ClientId": "InternalServiceClient",
@ -107,6 +108,7 @@
"ClientId": "vue-oauth-client",
"RootUrls": [
"http://localhost:5666",
"http://localhost:30000",
"http://localhost:30010",
"http://localhost:30015",
"http://localhost:30020",

6
aspnet-core/aspire/LINGYUN.Abp.MicroService.AuthServer/package.json
View File

@ -1,9 +1,9 @@
{
"version": "9.3.6",
"version": "10.0.2",
"name": "my-app-authserver",
"private": true,
"dependencies": {
"@abp/aspnetcore.mvc.ui.theme.leptonxlite": "4.3.6",
"@abp/qrcode": "9.3.6"
"@abp/aspnetcore.mvc.ui.theme.leptonxlite": "5.0.2",
"@abp/qrcode": "10.0.2"
}
}

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.IdentityService/appsettings.Development.json
View File

@ -77,7 +77,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385",
"Audience": "lingyun-abp-application",
"Audience": "identity-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.LocalizationService/appsettings.Development.json
View File

@ -57,7 +57,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "localization-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.MessageService/appsettings.Development.json
View File

@ -57,7 +57,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "message-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.PlatformService/appsettings.Development.json
View File

@ -82,7 +82,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "platform-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

7
aspnet-core/aspire/LINGYUN.Abp.MicroService.TaskService/appsettings.Development.json
View File

@ -84,10 +84,9 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Scopes": "lingyun-abp-application",
"SwaggerClientId": "InternalServiceClient",
"SwaggerClientSecret": "1q2w3E*",
"Audience": "task-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"SwaggerClientId": "vue-oauth-client",
"MapInboundClaims": false,
"RequireHttpsMetadata": false
},

6
aspnet-core/aspire/LINGYUN.Abp.MicroService.WeChatService/appsettings.Development.json
View File

@ -68,11 +68,11 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "wechat-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "InternalServiceClient",
"SwaggerClientSecret": "1q2w3E*"
"SwaggerClientId": "vue-oauth-client"
},
"Logging": {
"Serilog": {

3
aspnet-core/aspire/LINGYUN.Abp.MicroService.WebhookService/appsettings.Development.json
View File

@ -87,7 +87,8 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "webhook-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"

4
aspnet-core/aspire/LINGYUN.Abp.MicroService.WorkflowService/appsettings.Development.json
View File

@ -154,10 +154,10 @@
},
"AuthServer": {
"Authority": "http://localhost:44385/",
"Audience": "lingyun-abp-application",
"Audience": "workflow-service",
"ValidAudiences": [ "lingyun-abp-application" ],
"MapInboundClaims": false,
"RequireHttpsMetadata": false,
"Scopes": "lingyun-abp-application",
"ElsaClientId": "InternalServiceClient",
"SwaggerClientId": "vue-oauth-client"
},

25
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/AbpAccountWebOpenIddictModule.cs
View File

@ -1,5 +1,11 @@
using Microsoft.Extensions.DependencyInjection;
using LINGYUN.Abp.Account.Web.OpenIddict.ViewModels.Authorize;
using Microsoft.AspNetCore.Mvc.Razor;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.DependencyInjection;
using Volo.Abp.AspNetCore.Mvc.UI.Bundling;
using Volo.Abp.Localization;
using Volo.Abp.Modularity;
using Volo.Abp.OpenIddict.Localization;
using Volo.Abp.VirtualFileSystem;
using VoloAbpAccountWebOpenIddictModule = Volo.Abp.Account.Web.AbpAccountWebOpenIddictModule;
@ -24,5 +30,22 @@ public class AbpAccountWebOpenIddictModule : AbpModule
{
options.FileSets.AddEmbedded<AbpAccountWebOpenIddictModule>();
});
Configure<RazorViewEngineOptions>(options =>
{
options.ViewLocationFormats.Add("/Views/{1}/{0}.cshtml");
});
Configure<RazorPagesOptions>(options =>
{
options.Conventions.AuthorizePage("/Authorize");
});
Configure<AbpLocalizationOptions>(options =>
{
options.Resources
.Get<AbpOpenIddictResource>()
.AddVirtualJson("/Localization/Resources");
});
}
}

338
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Controllers/AuthorizeController.cs
View File

@ -0,0 +1,338 @@
using LINGYUN.Abp.Account.Web.OpenIddict.ViewModels.Authorize;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using OpenIddict.Abstractions;
using OpenIddict.Server.AspNetCore;
using System;
using System.Collections.Generic;
using System.Collections.Immutable;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Text.Encodings.Web;
using System.Threading.Tasks;
using Volo.Abp.AspNetCore.Security;
using Volo.Abp.DependencyInjection;
using Volo.Abp.OpenIddict;
using Volo.Abp.Security.Claims;
namespace LINGYUN.Abp.Account.Web.OpenIddict.Controllers;
[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(Volo.Abp.OpenIddict.Controllers.AuthorizeController))]
[Route("connect/authorize")]
[ApiExplorerSettings(IgnoreApi = true)]
public class AuthorizeController : Volo.Abp.OpenIddict.Controllers.AuthorizeController
{
[HttpGet, HttpPost]
[IgnoreAntiforgeryToken]
[IgnoreAbpSecurityHeader]
public override async Task<IActionResult> HandleAsync()
{
var request = await GetOpenIddictServerRequestAsync(HttpContext);
// Try to retrieve the user principal stored in the authentication cookie and redirect
// the user agent to the login page (or to an external provider) in the following cases:
//
// - If the user principal can't be extracted or the cookie is too old.
// - If prompt=login was specified by the client application.
// - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login).
// - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
//
// For scenarios where the default authentication handler configured in the ASP.NET Core
// authentication options shouldn't be used, a specific scheme can be specified here.
var result = await HttpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
if (result is not { Succeeded: true } ||
((request.HasPromptValue(OpenIddictConstants.PromptValues.Login) || request.MaxAge is 0 ||
(request.MaxAge is not null && result.Properties?.IssuedUtc is not null &&
TimeProvider.System.GetUtcNow() - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))) &&
TempData["IgnoreAuthenticationChallenge"] is null or false))
{
// If the client application requested promptless authentication,
// return an error indicating that the user is not logged in.
if (request.HasPromptValue(OpenIddictConstants.PromptValues.None))
{
return Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary<string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.LoginRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is not logged in."
}));
}
// To avoid endless login endpoint -> authorization endpoint redirects, a special temp data entry is
// used to skip the challenge if the user agent has already been redirected to the login endpoint.
//
// Note: this flag doesn't guarantee that the user has accepted to re-authenticate. If such a guarantee
// is needed, the existing authentication cookie MUST be deleted AND revoked (e.g using ASP.NET Core
// Identity's security stamp feature with an extremely short revalidation time span) before triggering
// a challenge to redirect the user agent to the login endpoint.
TempData["IgnoreAuthenticationChallenge"] = true;
// For scenarios where the default challenge handler configured in the ASP.NET Core
// authentication options shouldn't be used, a specific scheme can be specified here.
return Challenge(new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(Request.HasFormContentType ? Request.Form : Request.Query)
});
}
// If prompt=select_account was specified by the client application,
// We will redirect the user to the select_account page.
if (request.HasPromptValue(OpenIddictConstants.PromptValues.SelectAccount) && TempData["IgnoreSelectAccount"] is null or false)
{
// To avoid endless select account endpoint -> authorization endpoint redirects, a special temp data entry is
// used to skip the redirect if the user agent has already been redirected to the select account endpoint.
TempData["IgnoreSelectAccount"] = true;
var selectAccountPath = HttpContext.RequestServices.GetRequiredService<IOptions<AbpOpenIddictAspNetCoreOptions>>().Value.SelectAccountPage.RemovePostFix("/");
return Redirect(Url.Content($"{selectAccountPath}?RedirectUri={UrlEncoder.Default.Encode(Request.PathBase + Request.Path + QueryString.Create(Request.HasFormContentType ? Request.Form : Request.Query))}"));
}
// Retrieve the profile of the logged in user.
var dynamicPrincipal = result.Principal;
if (AbpClaimsPrincipalFactoryOptions.Value.IsDynamicClaimsEnabled)
{
dynamicPrincipal = await AbpClaimsPrincipalFactory.CreateDynamicAsync(dynamicPrincipal);
if (dynamicPrincipal == null)
{
return Challenge(
authenticationSchemes: IdentityConstants.ApplicationScheme,
properties: new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(Request.HasFormContentType ? Request.Form : Request.Query)
});
}
}
var user = await UserManager.GetUserAsync(dynamicPrincipal);
if (user == null)
{
return Challenge(
authenticationSchemes: IdentityConstants.ApplicationScheme,
properties: new AuthenticationProperties
{
RedirectUri = Request.PathBase + Request.Path + QueryString.Create(Request.HasFormContentType ? Request.Form : Request.Query)
});
}
// Retrieve the application details from the database.
var application = await ApplicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException(L["DetailsConcerningTheCallingClientApplicationCannotBeFound"]);
// Retrieve the permanent authorizations associated with the user and the calling client application.
var authorizations = await AuthorizationManager.FindAsync(
subject: await UserManager.GetUserIdAsync(user),
client: await ApplicationManager.GetIdAsync(application),
status: OpenIddictConstants.Statuses.Valid,
type: OpenIddictConstants.AuthorizationTypes.Permanent,
scopes: request.GetScopes()).ToListAsync();
switch (await ApplicationManager.GetConsentTypeAsync(application))
{
// If the consent is external (e.g when authorizations are granted by a sysadmin),
// immediately return an error if no authorization can be found in the database.
case OpenIddictConstants.ConsentTypes.External when !authorizations.Any():
return Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary<string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.ConsentRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The logged in user is not allowed to access this client application."
}));
// If the consent is implicit or if an authorization was found,
// return an authorization response without displaying the consent form.
case OpenIddictConstants.ConsentTypes.Implicit:
case OpenIddictConstants.ConsentTypes.External when authorizations.Any():
case OpenIddictConstants.ConsentTypes.Explicit when authorizations.Any() && !request.HasPromptValue(OpenIddictConstants.PromptValues.Consent):
var principal = await SignInManager.CreateUserPrincipalAsync(user);
var sid = dynamicPrincipal.FindFirst(JwtRegisteredClaimNames.Sid);
if (sid != null)
{
principal.RemoveClaims(JwtRegisteredClaimNames.Sid);
principal.AddClaim(JwtRegisteredClaimNames.Sid, sid.Value);
}
if (result.Properties != null && result.Properties.IsPersistent)
{
var claim = new Claim(AbpClaimTypes.RememberMe, true.ToString()).SetDestinations(OpenIddictConstants.Destinations.AccessToken);
principal.Identities.FirstOrDefault()?.AddClaim(claim);
}
// Note: in this sample, the granted scopes match the requested scope
// but you may want to allow the user to uncheck specific scopes.
// For that, simply restrict the list of scopes before calling SetScopes.
principal.SetScopes(request.GetScopes());
principal.SetResources(await ScopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
// Automatically create a permanent authorization to avoid requiring explicit consent
// for future authorization or token requests containing the same scopes.
var authorization = authorizations.LastOrDefault();
if (authorization == null)
{
authorization = await AuthorizationManager.CreateAsync(
principal: principal,
subject: await UserManager.GetUserIdAsync(user),
client: await ApplicationManager.GetIdAsync(application),
type: OpenIddictConstants.AuthorizationTypes.Permanent,
scopes: principal.GetScopes());
}
principal.SetAuthorizationId(await AuthorizationManager.GetIdAsync(authorization));
await OpenIddictClaimsPrincipalManager.HandleAsync(request, principal);
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
// At this point, no authorization was found in the database and an error must be returned
// if the client application specified prompt=none in the authorization request.
case OpenIddictConstants.ConsentTypes.Explicit when request.HasPromptValue(OpenIddictConstants.PromptValues.None):
case OpenIddictConstants.ConsentTypes.Systematic when request.HasPromptValue(OpenIddictConstants.PromptValues.None):
return Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary<string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.ConsentRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "Interactive user consent is required."
}));
// In every other case, render the consent form.
default:
return View("Authorize", new AuthorizeViewModel
{
ApplicationName = await ApplicationManager.GetLocalizedDisplayNameAsync(application),
AvailableScopes = await BuildScopeListAsync(request.GetScopes()),
Scope = request.Scope,
});
}
}
[HttpPost]
[Authorize]
[Route("callback")]
public override async Task<IActionResult> HandleCallbackAsync()
{
if (await HasFormValueAsync("deny"))
{
// Notify OpenIddict that the authorization grant has been denied by the resource owner
// to redirect the user agent to the client application using the appropriate response_mode.
return Forbid(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
}
var request = await GetOpenIddictServerRequestAsync(HttpContext);
// Retrieve the profile of the logged in user.
var user = await UserManager.GetUserAsync(User) ??
throw new InvalidOperationException(L["TheUserDetailsCannotBbeRetrieved"]);
// Retrieve the application details from the database.
var application = await ApplicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException(L["DetailsConcerningTheCallingClientApplicationCannotBeFound"]);
// Retrieve the permanent authorizations associated with the user and the calling client application.
var authorizations = await AuthorizationManager.FindAsync(
subject: await UserManager.GetUserIdAsync(user),
client: await ApplicationManager.GetIdAsync(application),
status: OpenIddictConstants.Statuses.Valid,
type: OpenIddictConstants.AuthorizationTypes.Permanent,
scopes: request.GetScopes()).ToListAsync();
// Note: the same check is already made in the other action but is repeated
// here to ensure a malicious user can't abuse this POST-only endpoint and
// force it to return a valid response without the external authorization.
if (!authorizations.Any() && await ApplicationManager.HasConsentTypeAsync(application, OpenIddictConstants.ConsentTypes.External))
{
return Forbid(
authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
properties: new AuthenticationProperties(new Dictionary<string, string>
{
[OpenIddictServerAspNetCoreConstants.Properties.Error] = OpenIddictConstants.Errors.ConsentRequired,
[OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The logged in user is not allowed to access this client application."
}));
}
var principal = await SignInManager.CreateUserPrincipalAsync(user);
var sid = User.FindFirst(JwtRegisteredClaimNames.Sid);
if (sid != null)
{
principal.RemoveClaims(JwtRegisteredClaimNames.Sid);
principal.AddClaim(JwtRegisteredClaimNames.Sid, sid.Value);
}
var result = await HttpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
if (result.Succeeded && result.Properties != null && result.Properties.IsPersistent)
{
var claim = new Claim(AbpClaimTypes.RememberMe, true.ToString()).SetDestinations(OpenIddictConstants.Destinations.AccessToken);
principal.Identities.FirstOrDefault()?.AddClaim(claim);
}
var scopes = Request.Form["selected_scopes"].ToString()?.Split(" ").ToImmutableArray() ?? [];
if (scopes.IsNullOrEmpty())
{
scopes = request.GetScopes();
}
// Note: in this sample, the granted scopes match the requested scope
// but you may want to allow the user to uncheck specific scopes.
// For that, simply restrict the list of scopes before calling SetScopes.
principal.SetScopes(scopes);
principal.SetResources(await ScopeManager.ListResourcesAsync(scopes).ToListAsync());
// Automatically create a permanent authorization to avoid requiring explicit consent
// for future authorization or token requests containing the same scopes.
var authorization = authorizations.LastOrDefault();
if (authorization == null)
{
authorization = await AuthorizationManager.CreateAsync(
principal: principal,
subject: await UserManager.GetUserIdAsync(user),
client: await ApplicationManager.GetIdAsync(application),
type: OpenIddictConstants.AuthorizationTypes.Permanent,
scopes: principal.GetScopes());
}
principal.SetAuthorizationId(await AuthorizationManager.GetIdAsync(authorization));
principal.SetScopes(scopes);
principal.SetResources(await GetResourcesAsync(scopes));
await OpenIddictClaimsPrincipalManager.HandleAsync(request, principal);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
}
private async Task<List<ScopeItemViewModel>> BuildScopeListAsync(ImmutableArray<string> requestedScopes)
{
var scopes = requestedScopes.Select(scopeName =>
new ScopeItemViewModel
{
Value = scopeName,
DisplayName = scopeName,
IsRequired = scopeName == "openid" || scopeName == "offline_access",
})
.OrderByDescending(x => x.IsRequired)
.ToList();
await foreach(var scope in ScopeManager.FindByNamesAsync(requestedScopes))
{
var scopeName = await ScopeManager.GetNameAsync(scope);
var scopeModel = scopes.FirstOrDefault(x => x.Value == scopeName);
if (scopeModel != null)
{
var displayName = await ScopeManager.GetLocalizedDisplayNameAsync(scope);
var description = await ScopeManager.GetLocalizedDescriptionAsync(scope);
scopeModel.DisplayName = displayName;
scopeModel.Description = description;
}
}
return scopes;
}
}

8
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/LINGYUN.Abp.Account.Web.OpenIddict.csproj
View File

@ -10,11 +10,19 @@
<GenerateAssemblyConfigurationAttribute>false</GenerateAssemblyConfigurationAttribute>
<GenerateAssemblyCompanyAttribute>false</GenerateAssemblyCompanyAttribute>
<GenerateAssemblyProductAttribute>false</GenerateAssemblyProductAttribute>
<GenerateEmbeddedFilesManifest>true</GenerateEmbeddedFilesManifest>
<RootNamespace>LINGYUN.Abp.Account.Web.OpenIddict</RootNamespace>
<OutputType>Library</OutputType>
<IsPackable>true</IsPackable>
</PropertyGroup>
<ItemGroup>
<EmbeddedResource Include="Localization\**\*.json" />
<EmbeddedResource Include="Views\**\*.js" />
<Content Remove="Localization\**\*.json" />
<Content Remove="Views\**\*.js" />
</ItemGroup>
<ItemGroup>
<PackageReference Include="Volo.Abp.Account.Web.OpenIddict" />
<PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" />

6
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Localization/Resources/en.json
View File

@ -0,0 +1,6 @@
{
"culture": "en",
"texts": {
"Required": "Required"
}
}

6
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Localization/Resources/zh-Hans.json
View File

@ -0,0 +1,6 @@
{
"culture": "zh-Hans",
"texts": {
"Required": "必须"
}
}

23
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/ViewModels/Authorize/AuthorizeViewModel.cs
View File

@ -0,0 +1,23 @@
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;
namespace LINGYUN.Abp.Account.Web.OpenIddict.ViewModels.Authorize;
public class AuthorizeViewModel
{
public string ApplicationName { get; set; }
[HiddenInput]
public string Scope { get; set; }
public List<ScopeItemViewModel> AvailableScopes { get; set; }
}
public class ScopeItemViewModel
{
public string Value { get; set; }
public string DisplayName { get; set; }
public string Description { get; set; }
public bool IsRequired { get; set; }
public bool IsChecked { get; set; }
}

90
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/Authorize/Authorize.cshtml
View File

@ -0,0 +1,90 @@
@using Microsoft.Extensions.Primitives
@using Volo.Abp.OpenIddict.Localization
@using Volo.Abp.AspNetCore.Mvc.UI.Layout
@using Volo.Abp.AspNetCore.Mvc.UI.Theming;
@using Microsoft.AspNetCore.Mvc.Localization
@using LINGYUN.Abp.Account.Web.OpenIddict.ViewModels.Authorize
@inject IHtmlLocalizer<AbpOpenIddictResource> L
@inject IThemeManager ThemeManager
@inject IPageLayout PageLayout
@model AuthorizeViewModel
@{
Layout = ThemeManager.CurrentTheme.GetAccountLayout();
PageLayout.Content.Title = L["Authorization"].Value;
}
@section scripts
{
<abp-script-bundle name="@typeof(AuthorizeViewModel).FullName">
<abp-script src="/Views/Authorize/Authorize.js" />
</abp-script-bundle>
}
<abp-card>
<abp-card-body>
<p class="lead text-left"><strong>@string.Format(L["DoYouWantToGrantAccessToYourData"].Value, @Model.ApplicationName)</strong></p>
<p class="fw-light">@L["ScopesRequested"]:</p>
<form method="post" action="~/connect/authorize/callback">
@Html.AntiForgeryToken()
@foreach (var parameter in Context.Request.HasFormContentType ? (IEnumerable<KeyValuePair<string, StringValues>>)Context.Request.Form : Context.Request.Query)
{
<input type="hidden" name="@parameter.Key" value="@parameter.Value" />
}
<input type="hidden" id="selected_scopes" name="selected_scopes" value="@Model.Scope" />
<div class="mb-4">
<div class="form-check">
@foreach (var scope in Model.AvailableScopes)
{
<div class="list-group-item">
<div class="form-check">
@if (scope.IsRequired)
{
<input class="form-check-input"
type="checkbox"
value="@scope.Value"
id="scope_@scope.Value"
checked
disabled />
<input type="hidden" name="selectedScopeValues" value="@scope.Value" />
}
else
{
<input class="form-check-input scope-checkbox"
type="checkbox"
value="@scope.Value"
id="scope_@scope.Value"
checked
data-scope-value="@scope.Value" />
}
<label class="form-check-label w-100" for="scope_@scope.Value">
<div>
<strong>@scope.DisplayName</strong>
@if (scope.IsRequired)
{
<span class="badge bg-warning ms-2">@L["Required"]</span>
}
</div>
@if (!string.IsNullOrEmpty(scope.Description))
{
<div class="text-muted mt-1">
<small>@scope.Description</small>
</div>
}
</label>
</div>
</div>
}
</div>
</div>
<div class="d-grid gap-2">
<input class="btn btn-primary" name="accept" type="submit" value="@L["Accept"]" />
<input class="btn btn-danger ms-1" name="deny" type="submit" value="@L["Deny"]" />
</div>
</form>
</abp-card-body>
</abp-card>

29
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/Authorize/Authorize.js
View File

@ -0,0 +1,29 @@
$(function () {
// 初始化选择的 Scope
updateSelectedScopes();
// 监听 Scope 选择变化
$('.scope-checkbox').change(function () {
updateSelectedScopes();
});
function updateSelectedScopes() {
var selected = [];
// 获取必需的 Scope
$('input[name="selectedScopeValues"]').each(function () {
selected.push($(this).val());
});
// 获取用户选择的 Scope
$('.scope-checkbox:checked').each(function () {
var value = $(this).data('scope-value');
if (!selected.includes(value)) {
selected.push(value);
}
});
// 更新隐藏字段
$('#selected_scopes').val(selected.join(' '));
}
});

4
aspnet-core/modules/account/LINGYUN.Abp.Account.Web.OpenIddict/Views/_ViewImports.cshtml
View File

@ -0,0 +1,4 @@
@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
@addTagHelper *, Volo.Abp.AspNetCore.Mvc.UI
@addTagHelper *, Volo.Abp.AspNetCore.Mvc.UI.Bootstrap
@addTagHelper *, Volo.Abp.AspNetCore.Mvc.UI.Bundling

1
aspnet-core/modules/account/LINGYUN.Abp.Account.Web/AbpAccountWebModule.cs
View File

@ -114,6 +114,7 @@ public class AbpAccountWebModule : AbpModule
{
bundle.AddFiles("/client-proxies/account-proxy.js");
bundle.AddFiles("/client-proxies/qrcode-proxy.js");
bundle.AddFiles("/Pages/Account/Login.js");
bundle.AddContributors(typeof(QRCodeScriptContributor));
});
});

7
aspnet-core/modules/account/LINGYUN.Abp.Account.Web/Pages/Account/Login.cshtml
View File

@ -18,12 +18,7 @@
PageLayout.Content.Title = L["Login"].Value;
}
@section scripts
{
<abp-script-bundle name="@typeof(LoginModel).FullName">
<abp-script src="/Pages/Account/Login.js" />
</abp-script-bundle>
}
<abp-script-bundle name="@typeof(LoginModel).FullName" />
<div class="account-module-form">
@if (Model.EnableLocalLogin)

2
aspnet-core/services/LY.MicroService.Applications.Single/MicroServiceApplicationsSingleModule.Configure.cs
View File

@ -60,7 +60,7 @@ public partial class MicroServiceApplicationsSingleModule
{
builder.AddValidation(options =>
{
//options.AddAudiences("lingyun-abp-application");
options.AddAudiences("all_in_one");
options.UseLocalServer();

3
aspnet-core/services/LY.MicroService.Applications.Single/appsettings.Development.json
View File

@ -107,7 +107,8 @@
"AuthServer": {
"UseOpenIddict": true,
"Authority": "http://localhost:30000/",
"Audience": "lingyun-abp-application",
"Audience": "all_in_one",
"ValidAudiences": [ "lingyun-abp-application" ],
"RequireHttpsMetadata": false,
"SwaggerClientId": "vue-oauth-client"
},

Write Preview
Loading…
Cancel
Save