04 建立 IdentityServer4 项目，Client Credentials

参考官方文档 Terminology。

（官方 Terminology 配图）

IdentityServer4 是一个 OpenID Connect provider，它的主要功能包括：

• protect your resources
• authenticate users using a local account store or via an external identity provider
• provide session management and single sign-on（单点登录）
• manage and authenticate clients
• issue identity and access tokens to clients
• validate tokens

Packaging and Builds 里面列出了 IdentityServer 4 相关的包的位置。

二、QuickStarts/Overview

项目模板源码：IdentityServer4.Templates

示例源码：IdentityServer4.Samples

通过 dotnet new is4inmem --name Idp 命令创建一个 IdentityServer4 with In-Memory Stores and Test Users 项目。

查看项目 Startup ConfigureServices 的代码，依次匹配官方示意图中的每个部分。

var builder = services.AddIdentityServer(options =>
{
    options.Events.RaiseErrorEvents = true;
    options.Events.RaiseInformationEvents = true;
    options.Events.RaiseFailureEvents = true;
    options.Events.RaiseSuccessEvents = true;
})
    .AddTestUsers(TestUsers.Users);

// in-memory, code config
builder.AddInMemoryIdentityResources(Config.GetIdentityResources());
builder.AddInMemoryApiResources(Config.GetApis());

builder.AddInMemoryClients(Config.GetClients());

官方文档“创建 Console 客户端，通过 Client Credentials 向 IdentityServer 请求 Access Token，并访问受保护资源”。

Client Credentials: The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.

1、官方教程创建了 Api1Resource。

Api1Resource 中返回了 User.Claims 的一些信息：

[Route("identity")]
[Authorize]
public class IdentityController : ControllerBase
{
    [HttpGet]
    public IActionResult Get()
    {
        return new JsonResult(from c in User.Claims select new { c.Type, c.Value });
    }
}

修改 Startup，添加 Authentication 服务，并将 Authentication 中间件添加到管道中：

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvcCore()
        .AddAuthorization()
        .AddJsonFormatters();

    services.AddAuthentication("Bearer")
        .AddJwtBearer("Bearer", options =>
        {
            options.Authority = "http://localhost:5000";
            options.RequireHttpsMetadata = false;

            options.Audience = "api1";
        });
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    app.UseAuthentication();

    app.UseMvc();
}

AddAuthentication adds the authentication services to DI and configures "Bearer" as the default scheme. UseAuthentication adds the authentication middleware to the pipeline so authentication will be performed automatically on every call into the host.

Navigating to the controller http://localhost:5001/identity on a browser should return a 401 status code. This means your API requires a credential and is now protected by IdentityServer.

修改 console client 中的代码，以访问 Api1Resource，并打印 Claim 信息：

static async Task Main(string[] args)
{
    // Discoverty endpoint
    ...
    // Request access token
    ...
    // Call Api1Resource
    var apiClient = new HttpClient();
    apiClient.SetBearerToken(tokenResponse.AccessToken);

    var response = await apiClient.GetAsync("http://localhost:5001/identity");
    if (!response.IsSuccessStatusCode)
    {
        Console.WriteLine(response.StatusCode);
    }
    else
    {
        var content = await response.Content.ReadAsStringAsync();
        Console.WriteLine(JArray.Parse(content));
    }

    Console.ReadKey();
}

效果：