自己做应用的网站,贵阳软件开发公司排名,做网站公司常熟,开一个素材设计网站怎么做.NET网关与Gateway实战-Envoy与kong课程什么是OAuth2认证简单说#xff0c;OAuth 就是一种授权机制。数据的所有者告诉系统#xff0c;同意授权第三方应用进入系统#xff0c;获取这些数据。系统从而产生一个短期的进入令牌#xff08;token#xff09;#xff0c;用来代… .NET网关与Gateway实战-Envoy与kong课程什么是OAuth2认证简单说OAuth 就是一种授权机制。数据的所有者告诉系统同意授权第三方应用进入系统获取这些数据。系统从而产生一个短期的进入令牌token用来代替密码供第三方应用使用。而IdentityServer4就是一个开源的OAuth2认证系统。网关与IdentityServer4集成之后我们可以避免为内部的每个微服务集成IdentityServer4可以避免很多重复的工作而这也是网关的一个重要优势。新建IdentityServer4服务1新增WebApi并引用Nuget包IdentityServer42.新增校验证书其中的证书文件通过openssl创建 2.1安装生成证书程序:https://slproweb.com/products/Win32OpenSSL.html对应操作系统 2.2找到openssl安装位置生成证书Country Name (2 letter code) [AU]:跳过所有步骤openssl req -newkey rsa:2048 -nodes -keyout chester.key -x509 -days 365 -out chester.ceropenssl pkcs12 -export -in chester.cer -inkey chester.key -out chester.pfx3.新增配置信息public class Config{public static IEnumerableApiResource GetApiResources(){return new ListApiResource{new ApiResource(api1, 我的第一个API){UserClaims {JwtClaimTypes.Audience},Scopes new Liststring{api},}};}public static IEnumerableClient GetClients(){return new ListClient{new Client{ClientIdclient,//定义客户端IDClientSecrets{new Secret(secret.Sha256())//定义客户端秘钥},AllowedGrantTypes GrantTypes.ResourceOwnerPassword,//授权方式为用户密码模式授权类型可参考GrantTypes枚举AllowedScopes{ api }//允许客户端访问的范围}};}public static IEnumerableApiScope ApiScopes new ApiScope[] { new ApiScope(api) };public static IEnumerableIdentityResource GetIdentityResources(){return new IdentityResource[]{new IdentityResources.OpenId()};}}4.注入IdentityServer4public void ConfigureServices(IServiceCollection services){services.AddIdentityServer()//注册服务//.AddDeveloperSigningCredential().AddSigningCredential(new X509Certificate2(chester.pfx,123456) ).AddInMemoryApiResources(Config.GetApiResources())//配置类定义的授权范围.AddInMemoryClients(Config.GetClients())//配置类定义的授权客户端.AddInMemoryApiScopes(Config.ApiScopes).AddTestUsers(new ListTestUser { new TestUser { Username Admin, Password 123456, SubjectId 001, IsActive true } });//模拟测试用户这里偷懒了用户可以单独管理最好不要直接在这里Newservices.AddControllers();}5.开启IdentityServer4中间件app.UseIdentityServer();//添加中间件6.然后启动IdentityServer4服务配置Envoy我们需要用到Envoy的envoy.filters.http.jwt_authn需要注意的有以下几点Envoy的过滤器加载是自上而下的因此我们需要将此过滤器放到envoy.filters.http.router前另外我们需要在配置文件中配置jwt的jwks地址/.well-known/openid-configuration/jwksjwks是JSON Web密钥集—一种用于共享公钥的JSON表示法用于验证JWT签名并且我们需要配置ids4服务的cluster。具体配置如下需要注意的地方已标红admin:address:socket_address:protocol: TCPaddress: 0.0.0.0port_value: 9902
static_resources:listeners:- name: listener_0address:socket_address:protocol: TCPaddress: 0.0.0.0port_value: 10000filter_chains:- filters:- name: envoy.filters.network.http_connection_managertyped_config:type: type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManagerscheme_header_transformation:scheme_to_overwrite: httpstat_prefix: ingress_httproute_config:name: local_routevirtual_hosts:- name: local_servicedomains: [*]routes:- match:prefix: /route:host_rewrite_literal: 192.168.43.94cluster: service_envoyproxy_iohttp_filters:- name: envoy.filters.http.jwt_authntyped_config:type: type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthenticationproviders:jwt_provider:issuer: http://192.168.43.94:7000audiences:- api1forward: trueremote_jwks:http_uri:uri: http://192.168.43.94:7000/.well-known/openid-configuration/jwkscluster: jwtservertimeout: 5srules:- match:prefix: /requires:provider_name: jwt_provider- name: envoy.filters.http.routerclusters:- name: jwtserverconnect_timeout: 0.25stype: STRICT_DNSlb_policy: ROUND_ROBINload_assignment:cluster_name: jwtserverendpoints:- lb_endpoints:- endpoint:address:socket_address:address: 192.168.43.94port_value: 7000- name: service_envoyproxy_ioconnect_timeout: 30stype: strict_dns# Comment out the following line to test on v6 networksdns_lookup_family: V4_ONLYlb_policy: ROUND_ROBINload_assignment:cluster_name: service_envoyproxy_ioendpoints:- lb_endpoints:- endpoint:address:socket_address:address: 192.168.43.94port_value: 5000启动envoydocker run --rm -it -p 9902:9902 -p 10000:10000 -v D:/gateway/envoy/config/static/:/etc/envoy/ -v D:/gateway/envoy/logs:/logs envoyproxy/envoy-dev -c /etc/envoy/envoy-jwt.yaml验证jwt我们直接访问http://192.168.43.94:10000/Name不携带token可以看到请求被拒绝返回401 下面我们调用ids4的/connect/token接口获取token将获取到的token放到Name接口的Header里再次调用成功至此我们通过EnvoyIdentityServer4实现了网关的JWT认证可以节省内部微服务与IdentityServer4重复的集成工作实现了统一处理认证逻辑。
