1.配置两种认证方式
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
}) .AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = GZSetting.ApiAuthIp;
options.RequireHttpsMetadata = false;
options.ClientId = GZSetting.MvcClientId;
options.ClientSecret = GZSetting.ClientSecret;
options.ResponseType = "code id_token";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add(GZSetting.ApiName);
//options.Scope.Add("roles");
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true; options.ClaimActions.MapUniqueJsonKey("role", "role"); })
.AddIdentityServerAuthentication("Bearer", options =>
{
options.RequireHttpsMetadata = false;
options.Authority = GZSetting.ApiAuthIp;
options.ApiName = GZSetting.ApiName;
});
2.配置授权策略
services.AddAuthorization(option =>
{
//默认 只写 [Authorize],表示使用oidc进行认证
option.DefaultPolicy = new AuthorizationPolicyBuilder("oidc").RequireAuthenticatedUser().Build();
//ApiController使用这个 [Authorize(Policy = "ApiPolicy")],使用jwt认证方案
option.AddPolicy("ApiPolicy", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme);
policy.RequireAuthenticatedUser();
});
});
3.给Webapi的控制器添加授权标签
[Authorize(Policy = "ApiPolicy")]
[Route("api/[controller]/[action]")]
[ApiController]
public class TestInfoController : ControllerBase
4.如果一个控制器要求Jwt认证或OpenId认证(当在普通控制器中写Api接口时,就需要这样写)
[Authorize(AuthenticationSchemes = "Bearer,Cookies")]
public class KeyValueStoresController : Controller