AspNetCore网关集成Swagger访问使用IdentityServer保护的webapi项目
创建webapi项目
创建四个webapi项目,两个处理业务,一个网关,一个验证中心。四个项目对应的端口如下,
ApiGateway:1999
IdentityServer:16690
Services.Api1:2108
Services.Api2:2343
添加Swagger支持
在两个业务项目中分别引用Swashbuckle.AspNetCore,目前是最新版本是4.0.1。在项目属性面板,设置输出xml文档,swagger可以读取xml注释生成json文件,在swagger ui页面中显示。但是选择输出xml文档后,对于没有xml注释的类和方法会显示警告,可以在项目属性面板中【错误和警告】选项,取消显示警告中添加1591,这样就可以不显示缺少xml注释的警告了。对于强迫症的你暂时可以平复一下了,当然,真的强迫症的话,肯定会全部加上xml注释的。(¬_¬)瞄
Startup.ConfigureServices
public void ConfigureServices(IServiceCollection services) { services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); services.AddSwaggerGen(options => { //SwaggerDoc的第一个参数要与Configure中SwaggerEndPoint中的版本名称一致 //既可以使用版本号,也可以使用自定义名称 options.SwaggerDoc("ServiceApiTwo", new Info { Title = "Services.Api #two", Version = "v1", Description = "服务api #two", License = new License { Name = "APL2.0", Url = "https://opensource.org/licenses/Apache-2.0" }, Contact = new Contact { Name = "原来是李", Url = "https://www.cnblogs.com/falltakeman" } }); var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml"; var xmlPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, xmlFile); options.IncludeXmlComments(xmlPath); }); }
Startup.Configure
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(c=> { c.RouteTemplate = "{documentName}/swagger.json"; }); app.UseSwaggerUI(u => { u.SwaggerEndpoint("/ServiceApiTwo/swagger.json", "ServiceApiTwo"); u.DocumentTitle = "Service Api #2 文档"; }); } app.UseMvc(); }
配置好启动项目看看。
通过swagger发起请求,响应正常。
配置网关项目
使用目前比较流行的开源网关服务Ocelot,APIGateway项目添加引用Ocelot、Ocelot.Provider.Consul、Ocelot.Provider.Polly、Ocelot.Cache.CacheManager,目前用到的版本是13.5.2。要在网关中统一查看各个服务的swagger文档,还需引用Swash.AspNetCore。Consul的配置先不说了。
在项目根路径下添加OcelotConfig.json配置文件。处理正常的路由转发外,要在网关swagger页面访问业务api,还需要配置swagger路由转发。
{ "GlobalConfiguration": { //外部访问路径 "BaseUrl": "http://localhost:1999", //限速配置 "RateLimitOptions": { //白名单 "ClientWhitelist": [], "EnableRateLimiting": true, //限制时间段,例如1s,5m,1h,1d "Period": "1s", //等待重试等待的时间间隔(秒) "PeriodTimespan": 1, //限制 "Limit": 1, //自定义消息 "QuotaExceededMessage": "单位时间内请求次数超过限制。", "HttpStatusCode": 999 }, //服务发现配置 "ServiceDiscoveryProvider": { "Host": "localhost", "Port": 8500, "Type": "PollConsul", "PollingInterval": 1000 }, //熔断配置 "QoSOptions": { "ExceptionsAllowedBeforeBreaking": 3, "DurationOfBreak": 5, //超时值(毫秒) "TimeoutValue": 5000 } }, "ReRoutes": [ // Api#one项目配置 { "UpstreamPathTemplate": "/gateway/one/{url}", //上游路径模板 "UpstreamHttpMethod": [ "Get", "Post", "Put", "Delete" ], //上游HTTP请求方法 "DownstreamPathTemplate": "/api/{url}", //下游路径模板 "DownstreamScheme": "http", //下游协议 https/http "ServiceName": "ServiceApiOne", //服务名称(结合服务发现使用) "UseServiceDiscovery": true, //启用服务发现 "LoadBalancer": "RoundRobin", //负载均衡算法:RoundRobin-轮询;LeastConnection-最少连接数(最空闲的服务器);NoLoadBalancer-总是发送往第一个请求或者服务发现 //下游主机与端口,允许配置多个 "DownstreamHostAndPorts": [ //{ // "Host": "ip", // "Port": 80 //}, { "Host": "localhost", "Port": 2108 } ], //熔断配置,在请求下游服务时使用断路 "QoSOptions": { "ExceptionsAllowedBeforeBreaking": 3, "DurationOfBreak": 10, "TimeoutValue": 5000 }, //权限配置 //"AuthenticationOptions": { // "AuthenticationProviderKey": "Bearer", // "AllowedScopes": [] //} }, // Api#two项目配置 { "UpstreamPathTemplate": "/gateway/two/{url}", "UpstreamHttpMethod": [ "Get", "Post", "Put", "Delete" ], "DownstreamPathTemplate": "/api/{url}", "DownstreamScheme": "http", "ServiceName": "ServiceApiTwo", "UseServiceDiscovery": true, "LoadBalancer": "RoundRobin", "DownstreamHostAndPorts": [ //{ // "Host": "ip", // "Port": 80 //}, { "Host": "localhost", "Port": 2343 } ], "QoSOptions": { "ExceptionsAllowedBeforeBreaking": 3, "DurationOfBreak": 10, "TimeoutValue": 5000 }, //"AuthenticationOptions": { // "AuthenticationProviderKey": "Bearer", // "AllowedScopes": [] //} }, //swagger api2配置 { "UpstreamPathTemplate": "/ServiceApiTwo/swagger.json", "UpstreamHttpMethod": [ "Get", "Post", "Put", "Delete" ], "DownstreamPathTemplate": "/ServiceApiTwo/swagger.json", "DownstreamScheme": "http", "DownstreamHostAndPorts": [ { "Host": "localhost", "Port": 2343 } ] }, //swagger api1多版本配置v1.0 { "UpstreamPathTemplate": "/ServiceApiOne/1.0/swagger.json", "UpstreamHttpMethod": [ "Get", "Post", "Put", "Delete" ], "DownstreamPathTemplate": "/ServiceApiOne/1.0/swagger.json", "DownstreamScheme": "http", "DownstreamHostAndPorts": [ { "Host": "localhost", "Port": 2108 } ] }, //swagger api1多版本配置v2.0 { "UpstreamPathTemplate": "/ServiceApiOne/2.0/swagger.json", "UpstreamHttpMethod": [ "Get", "Post", "Put", "Delete" ], "DownstreamPathTemplate": "/ServiceApiOne/2.0/swagger.json", "DownstreamScheme": "http", "DownstreamHostAndPorts": [ { "Host": "localhost", "Port": 2108 } ] } ] }
Startup.ConfigureServices注册swagger和Ocelot网关服务,ConfigureServices中的swagger配置和业务api中一样,
services.AddOcelot(Configuration) .AddConsul() .AddCacheManager(c => c.WithDictionaryHandle()) .AddPolly(); services.AddSwaggerGen(options => { options.SwaggerDoc(Configuration["Swagger:Name"], new Info { Title = Configuration["Swagger:Title"], Version = Configuration["Swagger:Version"], Description = Configuration["Swagger:Description"], License = new License { Name = Configuration["Swagger:License:Name"], Url = Configuration["Swagger:License:Url"] }, Contact = new Contact { Name = Configuration["Swagger:Contact:Name"], Email = Configuration["Swagger:Contact:Email"], Url = Configuration["Swagger:Contact:Url"] } }); });
Startup.Configure中,我是使用了配置文件,将业务api的swagger节点写在了配置文件中。
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); // 配置文件中的SwaggerName为业务api中是SwaggerEndPoint名称,有版本号的带上版本号 var apis = Configuration["SwaggerApis:SwaggerName"].Split(';').ToList(); app.UseSwagger(); app.UseSwaggerUI(options=> { //显示注册到网关的api接口 apis.ForEach(key => { options.SwaggerEndpoint($"/{key}/swagger.json", key); }); options.DocumentTitle = "api网关"; }); } else { app.UseExceptionHandler("/Home/Error"); } app.UseStaticFiles(); app.UseCookiePolicy(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); app.UseOcelot().Wait(); // 使用Ocelot网关中间件 }
修改ApiGateway项目Program.cs将配置文件添加进来。
public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .ConfigureAppConfiguration((hostingContext,config)=> { var env = hostingContext.HostingEnvironment; //根据环境变量加载不同的json配置 config.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true) .AddJsonFile("OcelotConfig.json")//网关配置 .AddEnvironmentVariables();//环境变量 }) .ConfigureLogging((hostingContext,logging)=> { logging.AddConfiguration(hostingContext.Configuration.GetSection("Logging")); logging.AddConsole(); //添加调试日志 logging.AddDebug(); }) .UseStartup();
网关配置了,swagger也配置了,启动业务api和网关服务看看效果。
两个业务api的swagger文档都可以正常查看。发请求看一下,结果响应404,仔细看一下,请求的服务地址是网关服务的地址,而不是业务api的地址,难道是Ocelot网关路由配置错了?使用Postman发一个GET请求看看,localhost:1999/gateway/two/values,网关转发到localhost:2343/api/values,响应正常。
看swashbuckle文档这一段,将业务api中Configure加上这一段后再次通过网关发起请求,结果出现TypeError。既然出错了,打开浏览器调试工具看一下就明白了,Failed to load http://localhost:2343/api/ApiTwo: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:1999' is therefore not allowed access.
网关请求业务api跨域了,要让业务api允许来自网关的请求,需要设置业务api跨域请求政策。加上下面的配置后,网关请求正常了。
修改Startup.Configure
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseSwagger(c=> { //处理网关通过swagger访问 c.PreSerializeFilters.Add((swaggerDoc, httpReq) => swaggerDoc.Host = httpReq.Host.Value); c.RouteTemplate = "{documentName}/swagger.json"; }); app.UseSwaggerUI(u => { u.SwaggerEndpoint("/ServiceApiTwo/swagger.json", "ServiceApiTwo"); u.DocumentTitle = "Service Api #2 文档"; }); } // 允许网关访问 app.UseCors(options => { options.WithOrigins("http://localhost:1999") .AllowAnyHeader() .AllowAnyMethod(); }); app.UseMvc(); }
使用IdentityServer4保护webapi
先前已经创建IdentityServer项目,添加引用IdentityServer4.AspNetIdentity(2.5.0)、IdentityServer4.EntityFramework(2.5.0)。新建一个类IdentityServerConfig,里面定义四个方法GetApiResources、GetIdentityResources、GetClients、GetTestUsers,具体代码就不贴了,看一下Startup。生产环境的话,当然要用数据库,这里不讨论IdentityServer4的使用。
public void ConfigureServices(IServiceCollection services) { services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2); services.AddIdentityServer() .AddDeveloperSigningCredential() .AddInMemoryPersistedGrants() .AddTestUsers(IdentityServerConfig.GetTestUsers()) .AddInMemoryIdentityResources(IdentityServerConfig.GetIdentityResources()) .AddInMemoryApiResources(IdentityServerConfig.GetApiResources()) .AddInMemoryClients(IdentityServerConfig.GetClients(Configuration)); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseIdentityServer(); app.UseMvc(); }
将网关和两个api项目对应的ApiResources和Clients分别为api-gateway、service-api-one、service-api-two,两个api客户端AllowedScope为自己,网关的AllowedScope为自己和两个api客户端。在需要保护的三个项目中添加引用IdentityServer4.AccessTokenValidation(2.7.0),修改Startup的ConfigureServices,添加如下代码。
//使用IdentityServer4 services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(options => { options.ApiName = "service-api-two"; options.Authority = "http://localhost:16690"; // IdentityServer验证服务 options.RequireHttpsMetadata = false; options.EnableCaching = true; });
Startup.Configure中添加app.UseAuthentication();
要在swagger中访问需要验证的api,需要在swagger配置中添加安全验证。
services.AddSwaggerGen(options => { //SwaggerDoc的第一个参数要与Configure中SwaggerEndPoint中的版本名称一致 //既可以使用版本号,也可以使用自定义名称 options.SwaggerDoc("ServiceApiTwo", new Info { Title = "Services.Api #two", Version = "v1", Description = "服务api #two", License = new License { Name = "MIT", Url = "https://mit-license.org/" }, Contact = new Contact { Name = "原来是李", Url = "http://www.cnblogs.com/falltakeman" } }); var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml"; var xmlPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, xmlFile); options.IncludeXmlComments(xmlPath); // swagger访问需要验证的api options.AddSecurityDefinition("Bearer", new ApiKeyScheme { In = "header", Name = "Authorization", Type = "apiKey", Description = "Bearer {token}" }); options.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>> { { "Bearer", Enumerable.Empty<string>() } }); });
在api控制器中,在需要保护的api上添加[Authorize]特性,没有授权的情况下访问受限api会报401错误。
使用postman获取token,在swagger中填写token,再次发起请求,响应正常。
在ApiGateway的Startup.ConfigureServices添加Authentication,在Services.AddSwaggerGen添加相应代码,启动项目在app.UseOcelot().Wait()抛出异常:Scheme already exists: BearerIdentityServerAuthenticationJwt. 最终使用了下面的方式。在ApiGateway项目中通过swagger也可以访问业务api了。
ActionisaOpt = option => { option.Authority = Configuration["IdentityService:Uri"]; option.RequireHttpsMetadata = Convert.ToBoolean(Configuration["IdentityService:UseHttps"]); option.ApiName = Configuration["IdentityService:ApiName"]; option.ApiSecret = Configuration["IdentityService:ApiSecret"]; option.SupportedTokens = SupportedTokens.Both; }; services.AddAuthentication().AddIdentityServerAuthentication(Configuration["IdentityService:DefaultScheme"], isaOpt);
但是配置中的IdentityService:DefaultScheme不可以是"Bearer",试验配置的是"IdentityBearer",不知为何不可以是"Bearer",不知道有没有懂这个的可以指点一二。
the end...