为什么 [Route] 为身份服务器 3 中的授权工作
Why [Route] work for authorization in identity server 3
我是 Open ID、Identity Server 和构建 API 的新手,
我已经设置了一个 Identity Server 3 和 API 和客户端,我的服务器将向客户端提供访问令牌,它可以在调用 API 时使用
服务器中的启动是
public void Configuration (IAppBuilder app)
{
var options = new IdentityServerOptions
{
Factory = new IdentityServerServiceFactory()
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get())
.UseInMemoryUsers(Users.Get()),
RequireSsl = false
};
app.UseIdentityServer(options);
}
和我的 API 启动
public void Configuration(IAppBuilder app)
{
//accept access token from indentityserver and require a scope of api1
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://localhost:62172/",
ValidationMode = ValidationMode.ValidationEndpoint,
RequiredScopes = new[] { "api1" }
});
//config web api
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
// require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
我的问题是为什么我使用
[Route("api/Search")]
它像使用 [Authorize]
一样工作
[Route("api/Search")]
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{
}
为什么上面的打击代码像这样工作:
[Authorize]
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{}
更多信息
在我的控制器中,这是我正在调用的方法,我试图强制用户获得授权
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{
var caller = User as ClaimsPrincipal;
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
HttpResponseMessage response = new HttpResponseMessage();
Framework.BusinessLogicFactory factory = new Framework.BusinessLogicFactory();
BusinessLogic.Search search = factory.CreateSearch();
}
但是如果我在控制器上没有 [Authorize] 或 [Route("api/Sreach")] 属性,任何对 API 的调用都会返回结果,
这就是我测试 API
的方式
string APiURL = "http://localhost:59791/api/Search";
var responses = GetClientToken();
var clinet = new HttpClient();
var value = new Dictionary<string, string>()
{
{ "CompanyNumber", " " },
{ "CompanyName", "test" },
{ "Address1", " " },
{ "Address2", " " },
{ "Address3", " " },
{ "PostCode", " " },
{ "CountryCode", " " },
};
var content = new FormUrlEncodedContent(value);
var response = await clinet.PostAsync(APiURL, content);
var t = response.StatusCode;
因为您的 API 启动程序中有 config.Filters.Add(new AuthorizeAttribute()); 行。
这会将 [Authorize] 应用于所有控制器。因此,导致应用授权的不是 [Route],而是这个过滤器。
我是 Open ID、Identity Server 和构建 API 的新手, 我已经设置了一个 Identity Server 3 和 API 和客户端,我的服务器将向客户端提供访问令牌,它可以在调用 API 时使用 服务器中的启动是
public void Configuration (IAppBuilder app)
{
var options = new IdentityServerOptions
{
Factory = new IdentityServerServiceFactory()
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get())
.UseInMemoryUsers(Users.Get()),
RequireSsl = false
};
app.UseIdentityServer(options);
}
和我的 API 启动
public void Configuration(IAppBuilder app)
{
//accept access token from indentityserver and require a scope of api1
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://localhost:62172/",
ValidationMode = ValidationMode.ValidationEndpoint,
RequiredScopes = new[] { "api1" }
});
//config web api
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
// require authentication for all controllers
config.Filters.Add(new AuthorizeAttribute());
app.UseWebApi(config);
}
我的问题是为什么我使用
[Route("api/Search")]
它像使用 [Authorize]
一样工作[Route("api/Search")]
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{
}
为什么上面的打击代码像这样工作:
[Authorize]
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{}
更多信息
在我的控制器中,这是我正在调用的方法,我试图强制用户获得授权
public async Task<IHttpActionResult> Companies(SearchRequest searchRequest)
{
var caller = User as ClaimsPrincipal;
if (!ModelState.IsValid)
{
return BadRequest(ModelState);
}
HttpResponseMessage response = new HttpResponseMessage();
Framework.BusinessLogicFactory factory = new Framework.BusinessLogicFactory();
BusinessLogic.Search search = factory.CreateSearch();
}
但是如果我在控制器上没有 [Authorize] 或 [Route("api/Sreach")] 属性,任何对 API 的调用都会返回结果, 这就是我测试 API
的方式string APiURL = "http://localhost:59791/api/Search";
var responses = GetClientToken();
var clinet = new HttpClient();
var value = new Dictionary<string, string>()
{
{ "CompanyNumber", " " },
{ "CompanyName", "test" },
{ "Address1", " " },
{ "Address2", " " },
{ "Address3", " " },
{ "PostCode", " " },
{ "CountryCode", " " },
};
var content = new FormUrlEncodedContent(value);
var response = await clinet.PostAsync(APiURL, content);
var t = response.StatusCode;
因为您的 API 启动程序中有 config.Filters.Add(new AuthorizeAttribute()); 行。
这会将 [Authorize] 应用于所有控制器。因此,导致应用授权的不是 [Route],而是这个过滤器。