问题
I'm using Identity Server3 for my project, I currently have a website and api being protected by the Id server, this is working fine however because I'm storing the users in the Id Server database I can't really change any user's data from the website like changing the profile picture or any claim value.
In order to solve this I'm thinking in creating an API on top of IdServer, this API will manage the users, changing a password, retrieving users or changing anything related to a user basically, I want to create this API on the sample project where I have my IdServer using Owin mapping.
Right now I have my idServer in the /identity route like this
public class Startup
{
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration().MinimumLevel.Debug().WriteTo.Trace().CreateLogger();
app.Map("/identity", idserverApp =>
{
var efConfig = new EntityFrameworkServiceOptions
{
ConnectionString = "IdSvr3Config"
};
var options = new IdentityServerOptions
{
SiteName = "Identity server",
IssuerUri = ConfigurationManager.AppSettings["idserver:stsIssuerUri"],
PublicOrigin = ConfigurationManager.AppSettings["idserver:stsOrigen"],
SigningCertificate = Certificate.Get(),
Factory = Factory.Configure(efConfig),
AuthenticationOptions = AuthOptions.Configure(app),
CspOptions = new CspOptions { Enabled = false },
EnableWelcomePage=false
};
new TokenCleanup(efConfig, 3600 * 6).Start();
idserverApp.UseIdentityServer(options);
});
app.UseIdServerApi();
}
}
My api "middleware" is as this
**public static class IdServerApiExtensions
{
public static void UseIdServerApi(this IAppBuilder app, IdServerApiOptions options = null)
{
if (options == null)
options = new IdServerApiOptions();
if (options.RequireAuthentication)
{
var dic = app.Properties;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseIdentityServerBearerTokenAuthentication(
new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://localhost:44302/identity", //here is the problem, it says not found even though I already mapped idServer to /identity
RequiredScopes = new[]
{
"idserver-api"
},
ValidationMode=ValidationMode.ValidationEndpoint
});
}
var config = new HttpConfiguration();
WebApiConfig.Register(config,options.RequireAuthentication);
app.UseNinjectMiddleware(() => NinjectConfig.CreateKernel.Value);
app.UseNinjectWebApi(config);
app.Use<IdServerApiMiddleware>(options);
}
}**
I know is possible I just don't know if it is a good idea to have the api on the same project or not and also I don't know how to do it.
- Is it a good idea to create this API to manage the users? If not what could I use?
- How can I create the proper settings to fire up the API under /api and at the same time use IdServer to protect this api?
Update
Adding ValidationMode=ValidationMode.ValidationEndpoint, fixed my problem, thanks to Scott Brady
Thanks
回答1:
The general advice from the Identity Server team is to run any admin pages or API as a separate project (Most recent example). Best practice would be only to give your Identity Server and identity management applications access to your identity database/store.
To manage your users, yes, you could write your own API. Other options would be to contain it to a single MVC website or to use something like Identity Manager.
You can still use the same application approach however, using the OWIN map. To secure this you could use the IdentityServer3.AccessTokenValidation package, using code such as:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["idserver:stsOrigen"],
RequiredScopes = new[] { "adminApi" },
ValidationMode = ValidationMode.ValidationEndpoint
});
来源:https://stackoverflow.com/questions/38236876/identity-server-and-web-api-for-user-management