ASP.NET Core的Keycloak客户端

在Startup.cs中,我使用了OpenIdConnect身份验证：

public void Configure(...)
    { (...)
         app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme,AutomaticAuthenticate = true,CookieHttpOnly = true,CookieSecure = CookieSecurePolicy.SameAsRequest
        });
        app.USEOpenIdConnectAuthentication(CreateKeycloakOpenIdConnectOptions());`(...)
 }`

OpenIdConnectOptions方法：

private OpenIdConnectOptions CreateKeycloakOpenIdConnectOptions()
    {
        var options = new OpenIdConnectOptions
        {
            AuthenticationScheme = "oidc",SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,Authority = Configuration["Authentication:KeycloakAuthentication:ServerAddress"]+"/auth/realms/"+ Configuration["Authentication:KeycloakAuthentication:Realm"],RequireHttpsMetadata = false,//only in development
            PostLogoutRedirectUri = Configuration["Authentication:KeycloakAuthentication:PostLogoutRedirectUri"],ClientId = Configuration["Authentication:KeycloakAuthentication:ClientId"],ClientSecret = Configuration["Authentication:KeycloakAuthentication:ClientSecret"],ResponseType = OpenIdConnectResponseType.Code,GetClaimsFromUserInfoEndpoint = true,SaveTokens = true

        };
        options.Scope.Add("openid");
        return options;
    }

在appsettings.json中添加Keycloak的配置：

{
  (...),"Authentication": {
    "KeycloakAuthentication": {
      "ServerAddress": "http://localhost:8180","Realm": "demo","PostLogoutRedirectUri": "http://localhost:57630/","ClientId": "KeycloakASPNETCore","ClientSecret": "secret-get-it-in-keycloakConsole-client-credentials"
    }
  }
}

Keycloak客户端配置如下：

> Client settings,
> I’ve added ‘accounting’ role for test,
> I added mapper ‘member_of’ of type ‘User Client Role’ for roles so that roles are added in the claims

如果我想按角色授权用户,我会这样做：

在ConfigureServices方法中添加authorization by claims：

public void ConfigureServices(IServiceCollection services)
    {
        (...)

        services.AddAuthorization(options =>
        {
            options.AddPolicy("Accounting",policy =>
            policy.RequireClaim("member_of","[accounting]")); //this claim value is an array. Any suggestions how to extract just single role? This still works.
        });
    }

我在ValuesController(默认Web API模板)中编辑了get方法：

[Authorize(Policy = "Accounting")]
[Route("api/[controller]")]
public class ValuesController : Controller
{
    // GET api/values        
    [HttpGet]
    public Dictionary<string,string> Get()
    {
        var userPrinciple = User as ClaimsPrincipal;
        var claims = new Dictionary<string,string>();

        foreach (var claim in userPrinciple.Claims)
        {
            var key = claim.Type;
            var value = claim.Value;

            claims.Add(key,value);
        }


        return claims;
    }

如果我使用具有会计角色的用户登录或具有会计角色的组,则应在地址localhost：57630 / api / values上显示我的用户声明.

我希望这适合你.