是否存在
Asp.net Core的Keycloak客户端?
I have found a NuGet package for .net但它不适用于Core.您是否有任何想法如何轻松地与此安全服务器集成(或可能使用任何其他替代方案)?
解决方法
我今天玩了一下这个.最简单的方法是使用OpenId标准.
在Startup.cs中,我使用了OpenIdConnect身份验证:
- public void Configure(...)
- { (...)
- app.UseCookieAuthentication(new CookieAuthenticationOptions
- {
- AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme,AutomaticAuthenticate = true,CookieHttpOnly = true,CookieSecure = CookieSecurePolicy.SameAsRequest
- });
- app.USEOpenIdConnectAuthentication(CreateKeycloakOpenIdConnectOptions());`(...)
- }`
OpenIdConnectOptions方法:
- private OpenIdConnectOptions CreateKeycloakOpenIdConnectOptions()
- {
- var options = new OpenIdConnectOptions
- {
- AuthenticationScheme = "oidc",SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,Authority = Configuration["Authentication:KeycloakAuthentication:ServerAddress"]+"/auth/realms/"+ Configuration["Authentication:KeycloakAuthentication:Realm"],RequireHttpsMetadata = false,//only in development
- PostlogoutRedirectUri = Configuration["Authentication:KeycloakAuthentication:PostlogoutRedirectUri"],ClientId = Configuration["Authentication:KeycloakAuthentication:ClientId"],ClientSecret = Configuration["Authentication:KeycloakAuthentication:ClientSecret"],ResponseType = OpenIdConnectResponseType.Code,GetClaimsFromUserInfoEndpoint = true,SaveTokens = true
- };
- options.Scope.Add("openid");
- return options;
- }
在appsettings.json中添加Keycloak的配置:
- {
- (...),"Authentication": {
- "KeycloakAuthentication": {
- "ServerAddress": "http://localhost:8180","Realm": "demo","PostlogoutRedirectUri": "http://localhost:57630/","ClientId": "KeycloakASPNETCore","ClientSecret": "secret-get-it-in-keycloakConsole-client-credentials"
- }
- }
- }
Keycloak客户端配置如下:
> Client settings,
> I’ve added ‘accounting’ role for test,
> I added mapper ‘member_of’ of type ‘User Client Role’ for roles so that roles are added in the claims
如果我想按角色授权用户,我会这样做:
在ConfigureServices方法中添加authorization by claims:
- public void ConfigureServices(IServiceCollection services)
- {
- (...)
- services.AddAuthorization(options =>
- {
- options.AddPolicy("Accounting",policy =>
- policy.RequireClaim("member_of","[accounting]")); //this claim value is an array. Any suggestions how to extract just single role? This still works.
- });
- }
我在ValuesController(默认Web API模板)中编辑了get方法:
- [Authorize(Policy = "Accounting")]
- [Route("api/[controller]")]
- public class ValuesController : Controller
- {
- // GET api/values
- [HttpGet]
- public Dictionary<string,string> Get()
- {
- var userPrinciple = User as ClaimsPrincipal;
- var claims = new Dictionary<string,string>();
- foreach (var claim in userPrinciple.Claims)
- {
- var key = claim.Type;
- var value = claim.Value;
- claims.Add(key,value);
- }
- return claims;
- }
如果我使用具有会计角色的用户登录或具有会计角色的组,则应在地址localhost:57630 / api / values上显示我的用户声明.
我希望这适合你.