IdentityServer4源码解析_1_项⽬结构
⽬录
[IdentityServer4源码解析_6_结束会话接⼝]
[IdentityServer4源码解析_7_查询令牌信息接⼝]
[IdentityServer4源码解析_8_撤销令牌接⼝]
简介
Security源码解析系列介绍了微软提供的各种认证架构,其中OAuth2.0,OpenIdConnect属于远程认证架构,所谓远程认证,是指token的颁发是由其他站点完成的。IdentityServer4是基于OpenIdConnect协议的认证中⼼框架,可以帮助我们快速搭建微服务认证中⼼。
初学者可能看到⽣涩的概念⽐较头疼,可以将OAuth, OpenIdConnect协议简单理解成需求⽂档,idsv4基于需求提供了⼀系列的api实现。
对于idsv还不太了解的可以看下⾯的资料,本系列主要学习梳理idsv4的源码,结合协议加深理解。
晓晨姐姐系列⽂章
官⽅⽂档
项⽬结构
项⽬地址如下
克隆到本地,项⽬结构如图
核⼼项⽬是IdentityServer4,其余的都是与微软框架集成、以及处理持久化的项⽬。
项⽬结构如图。Endpoints⽂件夹就是接⼝⽂件,我们先看下依赖注⼊、中间件的代码,然后看下每个接⼝。
依赖注⼊
public static IIdentityServerBuilder AddIdentityServer(this IServiceCollection rvices)
正确的吸烟方式{
var builder = rvices.AddIdentityServerBuilder();欲成仙
var builder = rvices.AddIdentityServerBuilder();
builder
.AddRequiredPlatformServices()
.AddCookieAuthentication()
.AddCoreServices()
.AddDefaultEndpoints()
.AddPluggableServices()
.
AddValidators()
.AddResponGenerators()
.AddDefaultSecretParrs()
.AddDefaultSecretValidators();
// provide default in-memory implementation, not suitable for most production scenarios
builder.AddInMemoryPersistedGrants();
return builder;
}
AddRequiredPlatformServices - 注⼊平台服务
IHttpContextAccessor:HttpContext访问器
IdentityServerOptions:配置类
public static IIdentityServerBuilder AddRequiredPlatformServices(this IIdentityServerBuilder builder)
{
builder.Services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
builder.Services.AddOptions();
builder.Services.AddSingleton(
resolver => resolver.GetRequiredService<IOptions<IdentityServerOptions>>().Value);
builder.Services.AddHttpClient();
return builder;
}
AddCookieAuthentication - 注⼊cookie服务
注⼊名称为idsrv的cookie认证架构
注⼊IAuthenticationService的实现IdentityServerAuthenticationService
注⼊IAuthenticationHandlerProvider的实现FederatedSignoutAuthenticationHandlerProvider
public static IIdentityServerBuilder AddCookieAuthentication(this IIdentityServerBuilder builder)
{
builder.Services.AddAuthentication(IdentityServerConstants.DefaultCookieAuthenticationScheme)
.AddCookie(IdentityServerConstants.DefaultCookieAuthenticationScheme)
.AddCookie(IdentityServerConstants.ExternalCookieAuthenticationScheme);
builder.Services.AddSingleton<IConfigureOptions<CookieAuthenticationOptions>, ConfigureInternalCookieOptions>();
builder.Services.AddSingleton<IPostConfigureOptions<CookieAuthenticationOptions>, PostConfigureInternalCookieOptions>(); builder.Services.AddTransientDecorator<IAuthenticationService, IdentityServerAuthenticationService>();
builder.Services.AddTransientDecorator<IAuthenticationHandlerProvider, FederatedSignoutAuthenticationHandlerProvider>(); return builder;
}
AddCoreServices - 注⼊核⼼服务
/// <summary>
/// Adds the core rvices.
/// </summary>
/// <param name="builder">The builder.</param>
/// <returns></returns>
public static IIdentityServerBuilder AddCoreServices(this IIdentityServerBuilder builder)
{
builder.Services.AddTransient<SecretParr>();
builder.Services.AddTransient<SecretValidator>();
builder.Services.AddTransient<ScopeValidator>();
builder.Services.AddTransient<ExtensionGrantValidator>();
builder.Services.AddTransient<BearerTokenUsageValidator>();
builder.Services.AddTransient<JwtRequestValidator>();
// todo: remove in 3.0
#pragma warning disable CS0618 // Type or member is obsolete
builder.Services.AddTransient<BackChannelHttpClient>();
#pragma warning restore CS0618 // Type or member is obsolete
builder.Services.AddTransient<ReturnUrlParr>();
builder.Services.AddTransient<IdentityServerTools>();
builder.Services.AddTransient<IReturnUrlParr, OidcReturnUrlParr>();
builder.Services.AddScoped<IUrSession, DefaultUrSession>();
builder.Services.AddTransient(typeof(MessageCookie<>));
builder.Services.AddCors();游褒禅山记原文
builder.Services.AddTransientDecorator<ICorsPolicyProvider, CorsPolicyProvider>();
return builder;
我陪你走过
}
AddDefaultEndpoints - 注⼊接⼝
AuthorizeCallbackEndpoint:认证回调接⼝
AuthorizeEndpoint:认证接⼝足球训练10个基本动作
CheckSessionEndpoint:检查会话接⼝
DeviceAuthorizationEndpoint:设备认证接⼝
DiscoveryEndpoint:元数据键接⼝
DiscoveryEndpoint:元数据接⼝
EndSessionCallbackEndpoint:结束会话回调接⼝
EndSessionEndpoint:结束会话接⼝
IntrospectionEndpoint:查询令牌信息接⼝
TokenRevocationEndpoint:撤销令牌接⼝
TokenEndpoint:发放令牌接⼝
UrInfoEndpoint:查询⽤户信息接⼝
注⼊所有默认接⼝,包括接⼝名称和地址。请求进来之后,路由类EndPointRouter通过路由来寻找匹配的处理器。
public static IIdentityServerBuilder AddDefaultEndpoints(this IIdentityServerBuilder builder)
{
builder.Services.AddTransient<IEndpointRouter, EndpointRouter>();
builder.AddEndpoint<AuthorizeCallbackEndpoint>(EndpointNames.Authorize, ProtocolRoutePaths.AuthorizeCallback.EnsureLeadingSlash());
builder.AddEndpoint<AuthorizeEndpoint>(EndpointNames.Authorize, ProtocolRoutePaths.Authorize.EnsureLeadingSlash());
builder.AddEndpoint<CheckSessionEndpoint>(EndpointNames.CheckSession, ProtocolRoutePaths.CheckSession.EnsureLeadingSlash());
builder.AddEndpoint<DeviceAuthorizationEndpoint>(EndpointNames.DeviceAuthorization, ProtocolRoutePaths.DeviceAuthorization.EnsureLeadingSlash()); builder.AddEndpoint<DiscoveryKeyEndpoint>(EndpointNames.Discovery, ProtocolRoutePaths.DiscoveryWebKeys.EnsureLeadingSlash());
builder.AddEndpoint<DiscoveryEndpoint>(EndpointNames.Discovery, ProtocolRoutePaths.DiscoveryConfiguration.EnsureLeadingSlash());
builder.AddEndpoint<EndSessionCallbackEndpoint>(EndpointNames.EndSession, ProtocolRoutePaths.EndSessionCallback.EnsureLeadingSlash());
builder.AddEndpoint<EndSessionEndpoint>(EndpointNames.EndSession, ProtocolRoutePaths.EndSession.EnsureLeadingSlash());
builder.AddEndpoint<IntrospectionEndpoint>(EndpointNames.Introspection, ProtocolRoutePaths.Introspection.EnsureLeadingSlash());
builder.AddEndpoint<TokenRevocationEndpoint>(EndpointNames.Revocation, ProtocolRoutePaths.Revocation.EnsureLeadingSlash());
builder.AddEndpoint<TokenEndpoint>(EndpointNames.Token, ProtocolRoutePaths.Token.EnsureLeadingSlash());
builder.AddEndpoint<UrInfoEndpoint>(EndpointNames.UrInfo, ProtocolRoutePaths.UrInfo.EnsureLeadingSlash());
return builder;
}
AddPluggableServices - 注⼊可插拔服务
public static IIdentityServerBuilder AddPluggableServices(this IIdentityServerBuilder builder)
{
builder.Services.TryAddTransient<IPersistedGrantService, DefaultPersistedGrantService>();
builder.Services.TryAddTransient<IKeyMaterialService, DefaultKeyMaterialService>();
builder.Services.TryAddTransient<ITokenService, DefaultTokenService>();
builder.Services.TryAddTransient<ITokenCreationService, DefaultTokenCreationService>();
builder.Services.TryAddTransient<IClaimsService, DefaultClaimsService>();
builder.Services.TryAddTransient<IRefreshTokenService, DefaultRefreshTokenService>();
builder.Services.TryAddTransient<IDeviceFlowCodeService, DefaultDeviceFlowCodeService>();
builder.Services.TryAddTransient<IConntService, DefaultConntService>();
builder.Services.TryAddTransient<ICorsPolicyService, DefaultCorsPolicyService>();
builder.Services.TryAddTransient<IProfileService, DefaultProfileService>();
builder.Services.TryAddTransient<IConntMessageStore, ConntMessageStore>();
builder.Services.TryAddTransient<IMessageStore<LogoutMessage>, ProtectedDataMessageStore<LogoutMessage>>();
builder.Services.TryAddTransient<IMessageStore<EndSession>, ProtectedDataMessageStore<EndSession>>();
builder.Services.TryAddTransient<IMessageStore<ErrorMessage>, ProtectedDataMessageStore<ErrorMessage>>();
builder.Services.TryAddTransient<IIdentityServerInteractionService, DefaultIdentityServerInteractionService>();
builder.Services.TryAddTransient<IDeviceFlowInteractionService, DefaultDeviceFlowInteractionService>();
builder.Services.TryAddTransient<IAuthorizationCodeStore, DefaultAuthorizationCodeStore>();
builder.Services.TryAddTransient<IRefreshTokenStore, DefaultRefreshTokenStore>();
builder.Services.TryAddTransient<IReferenceTokenStore, DefaultReferenceTokenStore>();
builder.Services.TryAddTransient<IUrConntStore, DefaultUrConntStore>();
builder.Services.TryAddTransient<IHandleGenerationService, DefaultHandleGenerationService>();
builder.Services.TryAddTransient<IPersistentGrantSerializer, PersistentGrantSerializer>();
builder.Services.TryAddTransient<IEventService, DefaultEventService>();
builder.Services.TryAddTransient<IEventSink, DefaultEventSink>();
builder.Services.TryAddTransient<IUrCodeService, DefaultUrCodeService>();
builder.Services.TryAddTransient<IUrCodeGenerator, NumericUrCodeGenerator>();
builder.Services.TryAddTransient<IBackChannelLogoutService, DefaultBackChannelLogoutService>();
builder.AddJwtRequestUriHttpClient();
builder.AddBackChannelLogoutHttpClient();
//builder.Services.AddHttpClient<BackChannelLogoutHttpClient>();
//builder.Services.AddHttpClient<JwtRequestUriHttpClient>();
builder.Services.AddTransient<IClientSecretValidator, ClientSecretValidator>();
builder.Services.AddTransient<IApiSecretValidator, ApiSecretValidator>();
builder.Services.TryAddTransient<IDeviceFlowThrottlingService, DistributedDeviceFlowThrottlingService>();
builder.Services.AddDistributedMemoryCache();
return builder;
}
AddValidators - 注⼊校验类
public static IIdentityServerBuilder AddValidators(this IIdentityServerBuilder builder)
{
// core
builder.Services.TryAddTransient<IEndSessionRequestValidator, EndSessionRequestValidator>();
builder.Services.TryAddTransient<ITokenRevocationRequestValidator, TokenRevocationRequestValidator>();
builder.Services.TryAddTransient<IAuthorizeRequestValidator, AuthorizeRequestValidator>();
builder.Services.TryAddTransient<IAuthorizeRequestValidator, AuthorizeRequestValidator>();
builder.Services.TryAddTransient<ITokenRequestValidator, TokenRequestValidator>();
builder.Services.TryAddTransient<IRedirectUriValidator, StrictRedirectUriValidator>();
builder.Services.TryAddTransient<ITokenValidator, TokenValidator>();
builder.Services.TryAddTransient<IIntrospectionRequestValidator, IntrospectionRequestValidator>();
builder.Services.TryAddTransient<IResourceOwnerPasswordValidator, NotSupportedResourceOwnerPasswordValidator>(); builder.Services.TryAddTransient<ICustomTokenRequestValidator, DefaultCustomTokenRequestValidator>();
builder.Services.TryAddTransient<IUrInfoRequestValidator, UrInfoRequestValidator>();
builder.Services.TryAddTransient<IClientConfigurationValidator, DefaultClientConfigurationValidator>();
builder.Services.TryAddTransient<IDeviceAuthorizationRequestValidator, DeviceAuthorizationRequestValidator>();
builder.Services.TryAddTransient<IDeviceCodeValidator, DeviceCodeValidator>();
// optional
builder.Services.TryAddTransient<ICustomTokenValidator, DefaultCustomTokenValidator>();
builder.Services.TryAddTransient<ICustomAuthorizeRequestValidator, DefaultCustomAuthorizeRequestValidator>();
return builder;
}
AddResponGenerators - 注⼊响应⽣成类
public static IIdentityServerBuilder AddResponGenerators(this IIdentityServerBuilder builder)
{
builder.Services.TryAddTransient<ITokenResponGenerator, TokenResponGenerator>();
builder.Services.TryAddTransient<IUrInfoResponGenerator, UrInfoResponGenerator>();
builder.Services.TryAddTransient<IIntrospectionResponGenerator, IntrospectionResponGenerator>();
builder.Services.TryAddTransient<IAuthorizeInteractionResponGenerator, AuthorizeInteractionResponGenerator>();
builder.Services.TryAddTransient<IAuthorizeResponGenerator, AuthorizeResponGenerator>();
builder.Services.TryAddTransient<IDiscoveryResponGenerator, DiscoveryResponGenerator>();
builder.Services.TryAddTransient<ITokenRevocationResponGenerator, TokenRevocationResponGenerator>();
builder.Services.TryAddTransient<IDeviceAuthorizationResponGenerator, DeviceAuthorizationResponGenerator>();
return builder;
}
AddDefaultSecretParrs & AddDefaultSecretValidators
交通标线/// <summary>
/// Adds the default cret parrs.
/// </summary>
/// <param name="builder">The builder.</param>
/// <returns></returns>
public static IIdentityServerBuilder AddDefaultSecretParrs(this IIdentityServerBuilder builder)
{
builder.Services.AddTransient<ISecretParr, BasicAuthenticationSecretParr>();
builder.Services.AddTransient<ISecretParr, PostBodySecretParr>();
return builder;
}
/// <summary>
/// Adds the default cret validators.
/// </summary>
/// <param name="builder">The builder.</param>
/
// <returns></returns>
public static IIdentityServerBuilder AddDefaultSecretValidators(this IIdentityServerBuilder builder)
{
builder.Services.AddTransient<ISecretValidator, HashedSharedSecretValidator>();
return builder;
}
IdentityServerOptions - 配置类
/// <summary>
/// The IdentityServerOptions class is the top level container for all configuration ttings of IdentityServer.
/// </summary>
public class IdentityServerOptions
{
/// <summary>
/// Gets or ts the unique name of this rver instance, e.g.
/// If not t, the issuer name is inferred from the request
人的记忆曲线/// </summary>
/// <value>
/// Unique name of this rver instance, e.g.
/// </value>
public string IssuerUri { get; t; }
/// <summary>
/// Gets or ts the origin of this rver instance, e.g.
/
// If not t, the origin name is inferred from the request
/// Note: Do not t a URL or include a path.
/// </summary>
/// <value>
/// Origin of this rver instance, e.g.
/// </value>
public string PublicOrigin { get; t; }
/// <summary>
/// <summary>
/// Gets or ts the value for the JWT typ header for access tokens.
/// </summary>
/
// <value>
/// The JWT typ value.
/// </value>
public string AccessTokenJwtType { get; t; } = "at+jwt";
/// <summary>
/// Emits an aud claim with the format issuer/resources. That's needed for some older access token validation plumbing. Defaults to fal. /// </summary>
public bool EmitLegacyResourceAudienceClaim { get; t; } = fal;
/// <summary>
/// Gets or ts the endpoint configuration.
/// </summary>
/// <value>
/// The endpoints configuration.
/// </value>
public EndpointsOptions Endpoints { get; t; } = new EndpointsOptions();
/// <summary>
/// Gets or ts the discovery endpoint configuration.
/// </summary>
/// <value>
/// The discovery endpoint configuration.
/// </value>
public DiscoveryOptions Discovery { get; t; } = new DiscoveryOptions();
/// <summary>
/
// Gets or ts the authentication options.
/// </summary>
/// <value>
/// The authentication options.
/// </value>
public AuthenticationOptions Authentication { get; t; } = new AuthenticationOptions();
/// <summary>
/// Gets or ts the events options.
/// </summary>
/// <value>
/// The events options.
/
// </value>
public EventsOptions Events { get; t; } = new EventsOptions();
/// <summary>
/// Gets or ts the max input length restrictions.
/// </summary>
/// <value>
/// The length restrictions.
/// </value>
public InputLengthRestrictions InputLengthRestrictions { get; t; } = new InputLengthRestrictions();
/// <summary>
/// Gets or ts the options for the ur interaction.
/
// </summary>
/// <value>
/// The ur interaction options.
/// </value>
public UrInteractionOptions UrInteraction { get; t; } = new UrInteractionOptions();
/// <summary>
/// Gets or ts the caching options.
/// </summary>
/// <value>
/// The caching options.
/// </value>
public CachingOptions Caching { get; t; } = new CachingOptions();
/// <summary>
/// Gets or ts the cors options.
一石二鸟的意思/// </summary>
/// <value>
/// The cors options.
/// </value>
public CorsOptions Cors { get; t; } = new CorsOptions();
/// <summary>
/// Gets or ts the Content Security Policy options.
/// </summary>
public CspOptions Csp { get; t; } = new CspOptions();
/// <summary>
/// Gets or ts the validation options.
/// </summary>
public ValidationOptions Validation { get; t; } = new ValidationOptions();
