5- ASP.NET Core 2.1 InMemoryIden

1. UnitTest async method Example

    [TestClass]
    public class UnitTest1
    {
        [TestMethod]
        public void Test()
        {
            Task.Run(async () => { await ClientCredentials_Test(); }).GetAwaiter().GetResult();
        }

        public async Task ClientCredentials_Test()
        {
            // call api
            var client = new HttpClient();
            var response = await client.GetAsync("http://localhost:53560/values");
            //Assert.IsTrue(response.IsSuccessStatusCode);   this will not pass
            var content = await response.Content.ReadAsStringAsync();
            Console.WriteLine(content);
            // DiscoveryClient need reference to nuget package [IdentityModel]
            // request token
            var disco = await DiscoveryClient.GetAsync("http://localhost:53560");
            var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
            var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api1");

            Assert.IsFalse(tokenResponse.IsError);
            Console.WriteLine(tokenResponse.Json);

            // call api
            client = new HttpClient();
            client.SetBearerToken(tokenResponse.AccessToken);
            response = await client.GetAsync("http://localhost:53560/values");
            Assert.IsTrue(response.IsSuccessStatusCode);
            content = await response.Content.ReadAsStringAsync();
            Console.WriteLine(content);
        }
    }

2. Click Here 查看 Identity Server 4 with ASP.NET Core 2.0 的一个教程

术语定义【IdentityServer 是对 OAuth2 and OpenID 的一种实现】

• User: Person using a Client and the owner of Protected Resource 使用客户端访问限制资源的用户
• Client: The application that needs access to Protected Resource 需要访问限制资源的程序
• Protected Resource: The resource being protected from unauthorised access (e.g. Web API) 限制访问的资源，例如 Web api 等
• Server: Server that authorizes User and returns Access Tokens 提供用户验证和授权的服务器
• Access Token: A secret key used to access Protected Resource 用来访问限制资源的密钥
• Scopes: Values based on which access to Protected Resource features is limited 用来限制用户可以获取的资源范围【You can think about scopes as intent of the client, for example: The Client ask you to use your resource owner to grant me access to your openid scopes > given_name, email & prefered_username and your OAuth2 scope > WebApi.】
• Redirect URI: Location where User returns after Auth. Server completes authorization 验证服务器完成授权后重定向到的位置
• Client ID: Client’s identifier registered with the Auth. Server 客户端注册的id
• Client Secret: Client’s secret registered with the Auth. Server. This must be kept confidential 客户端注册的密钥
  关于这方面的内容可以参考视频课程
• Building and Securing a RESTful API for Multiple Clients in ASP.NET
• OAuth2 and OpenID Connect Strategies for AngularJS and ASP.NET

3. Oauth2 Flows

这篇文章讲的比较好，参考下

• Authorization Code Flow 此模式类似于平常网站看到的授权使用QQ、微信等登录方式
  1_ULF38OTiNJNQZ4lHQZqRwQ.png
  A client application ：
  (a) makes an authorization request to an authorization endpoint,
  (b) receives a short-lived authorization code,
  (c) makes a token request to a token endpoint with the authorization code, and
  (d) gets an access token.

---

(a) User accesses the Client.
(b) User is redirected to Auth. Server.
(c) User provides username/password.
(d) User is redirected back to Client with a code.

Note: Code is exposed to the user.

(e) Client accesses the Auth. Server to exchange the code with an Access Token.

Note: Access Token is not exposed to the user.

(f) Client access the Protected Resource using the Access Token.

• Implicit Flow 与上面类似，只不过没有了获取 authorization code 的步骤
  1__7h6INaOWSvRVzDKK5x9Zw.png
  A client application ：
  (a) makes an authorization request to an authorization endpoint and
  (b) gets an access token directly from the authorization endpoint.

---

(a) User accesses the Client.
(b) User is redirected to Auth. Server.
(c) User provides username/password.
(d) User is redirected back to Client with an Access Token.

Note: Access Token is exposed to the user.

(e) Client access the Protected Resource using the Access Token.

• Resource Owner Password Credentials Flow 直接在客户端输入用户名和密码，然后用用户名和密码去第三方服务器做验证，获取 access token
  1_UqiPF3HCsBU5IgCj1xV9dQ.png
  A client application ：
  (a) makes a token request to a token endpoint and
  (b) gets an access token. In this flow, a client application accepts a user's ID and password although the primary purpose of OAuth 2.0 is to give limited permissions to a client application WITHOUT revealing the user's credentials to the client application.

---

(a) User accesses the Client and provides username/password.

Note: username/password is exposed to the Client.

(b) Client accesses the Auth. Server to exchange username/password with an Access Token.
(c) Client accesses the Protected Resource using the Access Token.

• Client Credentials Flow 这个模式校验客户端，每个客户端有一个私有的id和secret，利用它们来获取 access token 再进行后续资源访问
  

  1_h5J_bXpLtqNg9zQ5JenIOQ.png
  A client application ：
  (a) makes a token request to a token endpoint and
  (b) gets an access token. In this flow, user authentication is not performed and client application authentication only is performed.

• Refresh Token Flow 在之前authorization request阶段会同时获取到 access token 和一个 refresh token，这里就可以利用 refresh token 重新获取一个 access token
  

  1_g2b5fpKje2piDKI4ZkW-4w.png
  A client application ：
  (a) presents a refresh token to a token endpoint and
  (b) gets a new access token.

4. github code

• CLICK HERE
• 运行测试
  进入目录【Fiver.Security.AuthServer】，运行 dotnet run
  
  进入目录【Fiver.Security.AuthServer.Api】，运行 dotnet run
  20180729121719.png
  然后在 Visual Studio 中 debug 运行项目【Fiver.Security.AuthServer.Client】即可
  20180729121849.png