asp.net core 使用identityServer4的密码模式来进行身份认证(2)
|
原文:
asp.net core 使用identityServer4的密码模式来进行身份认证(2) 认证授权原理
前言:本文将会结合asp.net core 认证源码来分析起认证的原理与流程。asp.net core版本2.2对于大部分使用asp.net core开发的人来说。 下面这几行代码应该很熟悉了。 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.RequireHttpsMetadata = false; options.Audience = "sp_api"; options.Authority = "http://localhost:5001"; options.SaveToken = true; }) app.UseAuthentication(); 废话不多说。直接看?app.UseAuthentication()的源码 public class AuthenticationMiddleware { private readonly RequestDelegate _next; public AuthenticationMiddleware(RequestDelegate next,IAuthenticationSchemeProvider schemes) { if (next == null) { throw new ArgumentNullException(nameof(next)); } if (schemes == null) { throw new ArgumentNullException(nameof(schemes)); } _next = next; Schemes = schemes; } public IAuthenticationSchemeProvider Schemes { get; set; } public async Task Invoke(HttpContext context) { context.Features.Set<IAuthenticationFeature>(new AuthenticationFeature { OriginalPath = context.Request.Path,OriginalPathBase = context.Request.PathBase }); // Give any IAuthenticationRequestHandler schemes a chance to handle the request var handlers = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>(); foreach (var scheme in await Schemes.GetRequestHandlerSchemesAsync()) { var handler = await handlers.GetHandlerAsync(context,scheme.Name) as IAuthenticationRequestHandler; if (handler != null && await handler.HandleRequestAsync()) { return; } } var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); if (defaultAuthenticate != null) { var result = await context.AuthenticateAsync(defaultAuthenticate.Name); if (result?.Principal != null) { context.User = result.Principal; } } await _next(context); } 现在来看看var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync(); 干了什么。 在这之前。我们更应该要知道上面代码中??public IAuthenticationSchemeProvider Schemes { get; set; } ,假如脑海中对这个IAuthenticationSchemeProvider类型的来源,有个清晰认识,对后面的理解会有很大的帮助 现在来揭秘IAuthenticationSchemeProvider 是从哪里来添加到ioc的。 public static AuthenticationBuilder AddAuthentication(this IServiceCollection services) { if (services == null) { throw new ArgumentNullException(nameof(services)); } services.AddAuthenticationCore(); services.AddDataProtection(); services.AddWebEncoders(); services.TryAddSingleton<ISystemClock,SystemClock>(); return new AuthenticationBuilder(services); } 红色代码内部逻辑中就把IAuthenticationSchemeProvider添加到了IOC中。先来看看services.AddAuthenticationCore()的源码,这个源码的所在的解决方案的仓库地址是https://github.com/aspnet/HttpAbstractions,这个仓库目前已不再维护,其代码都转移到了asp.net core 仓库 。 下面为services.AddAuthenticationCore()的源码 public static class AuthenticationCoreServiceCollectionExtensions { /// <summary> /// Add core authentication services needed for <see cref="IAuthenticationService"/>. /// </summary> /// <param name="services">The <see cref="IServiceCollection"/>.</param> /// <returns>The service collection.</returns> public static IServiceCollection AddAuthenticationCore(this IServiceCollection services) { if (services == null) { throw new ArgumentNullException(nameof(services)); } services.TryAddScoped<IAuthenticationService,AuthenticationService>(); services.TryAddSingleton<IClaimsTransformation,NoopClaimsTransformation>(); // Can be replaced with scoped ones that use DbContext services.TryAddScoped<IAuthenticationHandlerProvider,AuthenticationHandlerProvider>(); services.TryAddSingleton<IAuthenticationSchemeProvider,AuthenticationSchemeProvider>(); return services; } /// <summary> /// Add core authentication services needed for <see cref="IAuthenticationService"/>. /// </summary> /// <param name="services">The <see cref="IServiceCollection"/>.</param> /// <param name="configureOptions">Used to configure the <see cref="AuthenticationOptions"/>.</param> /// <returns>The service collection.</returns> public static IServiceCollection AddAuthenticationCore(this IServiceCollection services,Action<AuthenticationOptions> configureOptions) { if (services == null) { throw new ArgumentNullException(nameof(services)); } if (configureOptions == null) { throw new ArgumentNullException(nameof(configureOptions)); } services.AddAuthenticationCore(); services.Configure(configureOptions); return services; } } 完全就可以看待添加了一个全局单例的IAuthenticationSchemeProvider对象。现在让我们回到MiddleWare中探究Schemes.GetDefaultAuthenticateSchemeAsync(); 干了什么。光看方法的名字都能猜出就是获取的默认的认证策略。 进入到IAuthenticationSchemeProvider 实现的源码中,按我的经验,来看先不急看GetDefaultAuthenticateSchemeAsync()里面的内部逻辑。必须的看下IAuthenticationSchemeProvider实现类的构造函数。它的实现类是AuthenticationSchemeProvider。 先看看AuthenticationSchemeProvider的构造方法 public class AuthenticationSchemeProvider : IAuthenticationSchemeProvider { /// <summary> /// Creates an instance of <see cref="AuthenticationSchemeProvider"/> /// using the specified <paramref name="options"/>,/// </summary> /// <param name="options">The <see cref="AuthenticationOptions"/> options.</param> public AuthenticationSchemeProvider(IOptions<AuthenticationOptions> options) : this(options,new Dictionary<string,AuthenticationScheme>(StringComparer.Ordinal)) { } /// <summary> /// Creates an instance of <see cref="AuthenticationSchemeProvider"/> /// using the specified <paramref name="options"/> and <paramref name="schemes"/>. /// </summary> /// <param name="options">The <see cref="AuthenticationOptions"/> options.</param> /// <param name="schemes">The dictionary used to store authentication schemes.</param> protected AuthenticationSchemeProvider(IOptions<AuthenticationOptions> options,IDictionary<string,AuthenticationScheme> schemes) { _options = options.Value; _schemes = schemes ?? throw new ArgumentNullException(nameof(schemes)); _requestHandlers = new List<AuthenticationScheme>(); foreach (var builder in _options.Schemes) { var scheme = builder.Build(); AddScheme(scheme); } } private readonly AuthenticationOptions _options; private readonly object _lock = new object(); private readonly IDictionary<string,AuthenticationScheme> _schemes; private readonly List<AuthenticationScheme> _requestHandlers; 不难看出,上面的构造方法需要一个IOptions<AuthenticationOptions> 类型。没有这个类型,而这个类型是从哪里的了? 答:不知到各位是否记得addJwtBearer这个方法,再找个方法里面就注入了AuthenticationOptions找个类型。 看源码把 public static class JwtBearerExtensions { public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder) => builder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme,_ => { }); public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder,Action<JwtBearerOptions> configureOptions) => builder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme,configureOptions); public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder,string authenticationScheme,Action<JwtBearerOptions> configureOptions) => builder.AddJwtBearer(authenticationScheme,displayName: null,configureOptions: configureOptions); public static AuthenticationBuilder AddJwtBearer(this AuthenticationBuilder builder,string displayName,Action<JwtBearerOptions> configureOptions) { builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IPostConfigureOptions<JwtBearerOptions>,JwtBearerPostConfigureOptions>()); return builder.AddScheme<JwtBearerOptions,JwtBearerHandler>(authenticationScheme,displayName,configureOptions); } } 不难通过上述代码看出它是及一个基于AuthenticationBuilder的扩展方法,而注入AuthenticationOptions的关键就在于?builder.AddScheme<JwtBearerOptions,JwtBearerHandler>(authenticationScheme,configureOptions);? 这行代码,按下F12看下源码 public virtual AuthenticationBuilder AddScheme<TOptions,THandler>(string authenticationScheme,Action<TOptions> configureOptions) where TOptions : AuthenticationSchemeOptions,new() where THandler : AuthenticationHandler<TOptions> => AddSchemeHelper<TOptions,THandler>(authenticationScheme,configureOptions); private AuthenticationBuilder AddSchemeHelper<TOptions,Action<TOptions> configureOptions) where TOptions : class,new() where THandler : class,IAuthenticationHandler { Services.Configure<AuthenticationOptions>(o => { o.AddScheme(authenticationScheme,scheme => { scheme.HandlerType = typeof(THandler); scheme.DisplayName = displayName; }); }); if (configureOptions != null) { Services.Configure(authenticationScheme,configureOptions); } Services.AddTransient<THandler>(); return this; } 照旧还是分为2个方法来进行调用,其重点就是AddSchemeHelper找个方法。其里面配置AuthenticationOptions类型。现在我们已经知道了IAuthenticationSchemeProvider何使注入的。还由AuthenticationSchemeProvider构造方法中IOptions<AuthenticationOptions> options是何使配置的,这样我们就对于认证有了一个初步的认识。现在可以知道对于认证中间件,必须要有一个IAuthenticationSchemeProvider 类型。而这个IAuthenticationSchemeProvider的实现类的构造函数必须要由IOptions<AuthenticationOptions> options,没有这两个类型,认证中间件应该是不会工作的。 回到认证中间件中。继续看var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();这句代码,源码如下 public virtual Task<AuthenticationScheme> GetDefaultAuthenticateSchemeAsync() => _options.DefaultAuthenticateScheme != null ? GetSchemeAsync(_options.DefaultAuthenticateScheme) : GetDefaultSchemeAsync(); public virtual Task<AuthenticationScheme> GetSchemeAsync(string name) => Task.FromResult(_schemes.ContainsKey(name) ? _schemes[name] : null); private Task<AuthenticationScheme> GetDefaultSchemeAsync() => _options.DefaultScheme != null ? GetSchemeAsync(_options.DefaultScheme) ?让我们先验证下方法1的三元表达式,应该执行那边呢?通过前面的代码我们知道AuthenticationOptions是在AuthenticationBuilder类型的AddSchemeHelper方法里面进行配置的。经过我的调试,发现方法1会走右边。其实最终还是从一个字典中取到了默认的AuthenticationScheme对象。到这里中间件的里面var defaultAuthenticate = await Schemes.GetDefaultAuthenticateSchemeAsync();代码就完了。最终就那到了AuthenticationScheme的对象。 下面来看看 中间件中var result = await context.AuthenticateAsync(defaultAuthenticate.Name);这句代码干了什么。按下F12发现是一个扩展方法,还是到HttpAbstractions解决方案里面找下源码 源码如下 public static Task<AuthenticateResult> AuthenticateAsync(this HttpContext context,string scheme) => context.RequestServices.GetRequiredService<IAuthenticationService>().AuthenticateAsync(context,scheme); 通过上面的方法,发现是通过IAuthenticationService的AuthenticateAsync() 来进行认证的。那么现在IAuthenticationService这个类是干什么 呢? 下面为IAuthenticationService的定义 public interface IAuthenticationService { Task<AuthenticateResult> AuthenticateAsync(HttpContext context,string scheme); Task ChallengeAsync(HttpContext context,string scheme,AuthenticationProperties properties); Task ForbidAsync(HttpContext context,AuthenticationProperties properties); Task SignInAsync(HttpContext context,ClaimsPrincipal principal,AuthenticationProperties properties); Task SignOutAsync(HttpContext context,AuthenticationProperties properties); } ?IAuthenticationService的AuthenticateAsync()方法的实现源码 public class AuthenticationService : IAuthenticationService { /// <summary> /// Constructor. /// </summary> /// <param name="schemes">The <see cref="IAuthenticationSchemeProvider"/>.</param> /// <param name="handlers">The <see cref="IAuthenticationRequestHandler"/>.</param> /// <param name="transform">The <see cref="IClaimsTransformation"/>.</param> public AuthenticationService(IAuthenticationSchemeProvider schemes,IAuthenticationHandlerProvider handlers,IClaimsTransformation transform) { Schemes = schemes; Handlers = handlers; Transform = transform; }
?public virtual async Task<AuthenticateResult> AuthenticateAsync(HttpContext context,string scheme)
??????? { ??????????? if (scheme == null) ??????????? { ??????????????? var defaultScheme = await Schemes.GetDefaultAuthenticateSchemeAsync(); ??????????????? scheme = defaultScheme?.Name; ??????????????? if (scheme == null) ??????????????? { ??????????????????? throw new InvalidOperationException($"No authenticationScheme was specified,and there was no DefaultAuthenticateScheme found."); ??????????????? } ??????????? }
??????????? var handler = await Handlers.GetHandlerAsync(context,scheme);
??????????? if (handler == null) ??????????? { ??????????????? throw await CreateMissingHandlerException(scheme); ??????????? }
??????????? var result = await handler.AuthenticateAsync();
??????????? if (result != null && result.Succeeded) ??????????? { ??????????????? var transformed = await Transform.TransformAsync(result.Principal); ??????????????? return AuthenticateResult.Success(new AuthenticationTicket(transformed,result.Properties,result.Ticket.AuthenticationScheme)); ??????????? } ??????????? return result; ??????? } ?
?通过构造方法可以看到这个类的构造方法需要IAuthenticationSchemeProvider类型和IAuthenticationHandlerProvider 类型,前面已经了解了IAuthenticationSchemeProvider是干什么的,取到配置的授权策略的名称,那现在IAuthenticationHandlerProvider 是干什么的,看名字感觉应该是取到具体授权策略的handler.废话补多少,看IAuthenticationHandlerProvider 接口定义把 public interface IAuthenticationHandlerProvider { /// <summary> /// Returns the handler instance that will be used. /// </summary> /// <param name="context">The context.</param> /// <param name="authenticationScheme">The name of the authentication scheme being handled.</param> /// <returns>The handler instance.</returns> Task<IAuthenticationHandler> GetHandlerAsync(HttpContext context,string authenticationScheme); } 通过上面的源码,跟我猜想的不错,果然就是取得具体的授权策略 现在我就可以知道AuthenticationService是对IAuthenticationSchemeProvider和IAuthenticationHandlerProvider封装。最终调用IAuthentionHandel的AuthenticateAsync()方法进行认证。最终返回一个AuthenticateResult对象。 总结,对于asp.net core的认证来水,他需要下面这几个对象AuthenticationBuilder ? ?? 扶着对认证策略的配置与初始话 IAuthenticationHandlerProvider?AuthenticationHandlerProvider 负责获取配置了的认证策略的名称 IAuthenticationSchemeProvider?AuthenticationSchemeProvider 负责获取具体认证策略的handle IAuthenticationService?AuthenticationService 实对上面两个Provider 的封装,来提供一个具体处理认证的入口 IAuthenticationHandler 和的实现类,是以哦那个来处理具体的认证的,对不同认证策略的出来,全是依靠的它的AuthenticateAsync()方法。 AuthenticateResult? 最终的认证结果。 哎写的太垃圾了。 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- ASP.NET MVC 3远程验证
- asp.net-mvc – 实体框架 – 如何防止创建列的模型属性?
- asp.net – 如何在mvc3中对来自@ Html.LabelFor()的内容进行
- asp.net-mvc-3 – OutputCache属性和jQuery Ajax没有缓存
- asp.net – 终止所有会话,然后是应用程序结束事件
- ASP.NET MVC 3:我可以将C#Razor Views与F#控制器结合使用吗
- asp.net-mvc – 在ASP.NET MVC中创建控件外的ViewResult
- asp.net-mvc – 在ASP.NET Intranet MVC应用程序中维护经过
- asp.net – 评论未使用的代码会不会给我的页面带来任何方式
- asp.net – 为什么FireFox在下载文件时不包含.xml扩展名?
- asp.net-mvc – Asp.Net MVC3 RC Razor视图:在块
- asp.net-mvc-3 – 当两个网格位于同一页面时进行
- asp.net-mvc-4 – 如何通过MVC4 upshot上传相关实
- asp.net – ‘/’应用程序中的服务器错误.此类页
- asp.net – 如何在使用服务器端分隔符时转义字符
- asp.net-mvc-3 – 如何使用Asp.Net MVC 3和Razor
- asp.net-mvc-4 – 使用公共IP地址绑定应用程序
- asp.net – 在MVC 3实体框架中创建WebForms应用程
- asp.net – 用于.NET的HTML Sanitizer
- asp.net – tag-helpers无法正确生成我的网址