asp.net-core - 如何在 Linux 中使用带有 LetsEncript 证书的 IdentityServer4 进行身份验证?
问题描述
拜托,你能告诉我为生产配置签名证书的方法吗?
在开发中,webapp 运行良好,我在 Windows 中使用自证书。但是对于Linux中的生产,我不知道如何使用证书。实际上,我正在使用 LetsEncript,用于 https,并且作为 CA,我想我可以使用他们的证书与 IdentityServer 进行身份验证。
这就是我现在所拥有的。
IdentityServer Startup.cs 文件:
namespace IdentityServer
{
public class Startup
{
public IConfiguration Configuration { get; }
public IWebHostEnvironment Environment { get; }
public Startup(IConfiguration configuration, IWebHostEnvironment
environment)
{
Configuration = configuration;
Environment = environment;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto;
});
services.AddDbContext<IdentityDbContext>(
options => options.UseNpgsql(Configuration.GetConnectionString("IdentityConnect")));
services.AddScoped<IPasswordHasher<Entities.User>,
PasswordHasher<Entities.User>>();
services.AddScoped<ILocalUserService, LocalUserService>();
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients);
builder.AddProfileService<LocalUserProfileService>();
if (Environment.IsDevelopment())
{
builder.AddSigningCredential(LoadCertificateFromStore());
}
IdentityModelEventSource.ShowPII = true;
}
public void Configure(IApplicationBuilder app)
{
app.UseForwardedHeaders();
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
public X509Certificate2 LoadCertificateFromStore()
{
string thumbPrint = "73ppppp1958888886d772222270000dbddb1aa37";
using (var store = new X509Store(StoreName.My,
StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadOnly);
var certCollection =
store.Certificates.Find(X509FindType.FindByThumbprint,
thumbPrint, true);
if (certCollection.Count == 0)
{
throw new Exception("The specified certificate wasn't found.");
}
return certCollection[0];
}
}
Appsetting.Json 文件:没有什么特别之处,只是身份服务器的连接字符串。
配置.cs文件:
namespace IdentityServer
{
public static class Config
{
public static IEnumerable<IdentityResource> Ids => new IdentityResource[]
{
...Irrelevant Code
}
public static IEnumerable<ApiResource> Apis => new ApiResource[]
{
...Irrelevant Code
}
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
AccessTokenType = AccessTokenType.Reference,
AccessTokenLifetime = 3600,
AllowOfflineAccess = true,
UpdateAccessTokenClaimsOnRefresh = true,
ClientName = "WebApp",
ClientId = "webapp",
RequireConsent = false,
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RedirectUris = new List<string>()
{
// Shoud I use here a domain for production like https://www.example.com:44300/signin-oidc ?
"https://localhost:44300/signin-oidc"
},
PostLogoutRedirectUris = new List<string>()
{
// Shoud I use here a domain for production like https://www.example.com:44300/signout-callback-oidc ?
"https://localhost:44300/signout-callback-oidc"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Address,
"subscriptionlevel"
},
ClientSecrets =
{
new Secret("fakesecret".Sha256())
}
} };
解决方案
理论上,您可以对签名和 HTTPS 使用相同的私钥,但为了简单起见,我建议您将它们分开。例如,您可以独立地旋转键(更改键)。令牌唱歌和 HTTPS 都依赖于私钥/公钥,因此有很多共同的概念。
推荐阅读
- apache-kafka - 如何计算 KSQL / KSQLDB LAG/LEAD 中两行之间的差异?
- vue.js - 如何在 ionic vue 中禁用标签导航的网络历史记录
- c# - 如何从 C# 中的输入 json 中获取键值
- node.js - 如何在 discord.js 中发送超链接
- java - 将拦截器 jar 文件注入我的 Spring Boot 项目
- php - 使用 PhpSpreadsheet 添加占位符文本
- python - Python在子字符串中查找字符串
- python - AttributeError:模块“tensorflow.python.keras.engine.training”没有属性“_disallow_inside_tf_function”
- sql - SQL Server 中的索引视图不使用索引
- wix - 如何强制参数到 WiX MSI /norestart