原文:https://www.yuque.com/yuejiangliu/dotnet/qq7lgs
05 Resource Owner Password Credentials 授权.mp4 (93.5 MB)
回顾 Client Credentials
- 客户端应用不代表用户,客户端应用本身就相当于资源所有者
- 通常用于机器对机器的通信
- 客户端也需要身份认证
Token 请求:
POST http://xxx/connect/token HTTP/1.1 Accept: application/json Content-Type: application/x-www-form-urlencoded Content-Length: 116 Host: localhost:5000 grant_type=client_credentials &scope=api1 &client_id=console+client &client_secret=xxx
Token 响应:
HTTP/1.1 200 OK Date: Thu, 02 May 2019 03:52:13 GMT Content-Type: application/json; charset=UTF-8 Server: Kestrel Cache-Control: no-store, no-cache, max-age=0 Pragma: no-cache Transfer-Encoding: chunked {"access_token":"xxxxxx","expires_in":3600,"token_type":"Bearer"}
Resource Owner Password Credentials
- 资源所有者的密码凭证(例如用户名和密码)直接被用来请求 Access Token
- 通常用于遗留的应用
- 资源所有者和客户端应用间必须高度信任
- 其它授权方式不可用的时候才使用,尽量不用
在 IdentityServer 中配置客户端
配置 OpenID 相关资源,并添加 WPF Client:
public static IEnumerable<IdentityResource> GetIdentityResources() { return new IdentityResource[] { // 要请求下面几个 OpenID 相关的资源,必须先添加它 new IdentityResources.OpenId(), new IdentityResources.Profile(), new IdentityResources.Address(), new IdentityResources.Phone(), new IdentityResources.Email() }; } ... public static IEnumerable<Client> GetClients() { return new[] { // client credentials flow client ... // WPF client, password grant new Client { ClientId = "wpf client", AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, ClientSecrets = {new Secret("wpf secret".Sha256())}, AllowedScopes = { "api1", IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, IdentityServerConstants.StandardScopes.Email, IdentityServerConstants.StandardScopes.Address, IdentityServerConstants.StandardScopes.Phone} } }; }