认证服务器，有关修改密码登出获取用户信息

实践/后端/项目/18.IdentityServer4中的修改密码、登出等.md

@@ -0,0 +1,451 @@
+# 了解IdentityServer4的原理
+
+首先在请求管道里有一个有关IdentityServer4的中间件，通过这个中间件来设施所有有关IdentityServer4的逻辑。
+```
+app.UseIdentityServer();
+```
+
+在DI容器里通过`services.AddDbContext<IdentityDbContext>()`有了上下文，通过`services.AddIdentity<IdentityUser, IdentityRole>`有了Identity，通过`services.AddIdentityServer()`有了IdentityServer4。其中的关系用图表示就是：
+
+![](./imgs/identityserver.png)
+
+IdentityServer4掌管着所有的用户。
+
+```
+public static IENumerable<TestUser> GetUsers()
+{
+    return enw List<TestUser>{
+        new TestUser{
+            SubjectId="1",
+            Username = "",
+            Passowrd=""
+            Claims = {
+                new Claim(JwtClaimTypes.Name,""),
+                new Claim(JwtClaimTypes.GivenName,""),
+                new Claim(JwtClaimTypes.FamilyName,""),
+                new Claim(JwtClaimTypes.Email, ""),
+                new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
+                new Claim(JwtClaimTypes.WebSite, ""),
+                new Claim(JwtClaimTypes.Address,@"", IdentityServer4.IdentityServerConstancts.ClaimValueTypes.Json),
+                new Claim(JwtClaimTypes.Role, GlobalSetting.Temp_Role_Manager),
+                new Claim("GroupId","1")
+            }
+        }
+    };
+}
+```
+以上`GroupId`是如何加上的呢？是通过`IProfileService`这个接口加上的。
+
+```
+public class ProfielService : IProfileService
+{
+    private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
+    private readonly UserManager<ApplicationUser> _userManager;
+    private readonly IHostingEnvironment _hostingEnvironment;
+
+    //构造函数略
+
+    public async Task GetProfileDataAsync(ProfileDataRequest context)
+    {
+        if(_hostingEnvironment.IsDevelopment())
+        {
+            context.IssuedClaims.AddRange(context.Subject.Claims);
+        }
+        else
+        {
+            //获取用户的SubjectId
+            var sub = context.Subject.GetSubjectId();
+            //获取用户
+            var user = await _userManager.FindByIdAsync(sub);
+            //获取用户的ClaimsPrincipal
+            var claims = await _claimsFactory.CreateAsync(user);
+            //获取用户的所有claim
+            var claims = principal.Claims.ToList();
+            claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
+            claims.Add(new Claim("GroupId", user.GroupId));
+            context.IssuedClaims = claims;
+        }
+    }
+
+    public async Task IsActiveAsync(IsActiveContext context)
+    {
+        if(!_hostingEnvironment.IsDevelopment())
+        {
+            var sub = context.Subject.GetSubjectId();
+            var user = await _userManager.FindByIdAsync(sub);
+            context.IsActive = user != null;
+        }
+    }
+}
+```
+
+以上，在上下文中有一个类型为`ClaimsPrincipal`的`Subject`属性，从`ClaimsPricipal`的`GetSubjectId`方法可以获取string类型的编号，把这个编号交给`UserManager`就获取到用户，把用户交给`IUserClaimsPrincipalFactory`获取`ClaimsPrincipal`,在其中包含所有的`Claim`。也就是：
+
+- 从上下文获取SubjectId
+- 从`UserManager`获取User
+- 从`IUserClaimsPrincipalFactory`获取`ClaimsPrincipal`
+- 从`ClaimsPrincipal`获取`Claims`
+
+IdentityServer4管理着所有的`IdentityResource`
+```
+public static IEnumerable<IdentityResource> GetIdentityResources()
+{
+    return new List<IdentityResource>{
+        new IdentityResource.OpenId(),
+        new IdentityResource.Profile(),
+        new IdentityResource.Address(),
+        new IdentityResource.Phone(),
+        new IdentityResource.Email(),
+        new IdentityResource("roles","角色",new List<string>{JwtClaimTypes.Role})
+    };
+}
+```
+
+IdentityServer4管理着所有的`ApiResource`
+```
+public static IEnumerable<ApiResource> GetApiResources()
+{
+    return new List<ApiResource>{
+        new ApiResource("for_moble","")
+    };
+}
+```
+
+IdentityServer4管理着所有的`Client`
+```
+public static IEnumerable<Client> GetClients()
+{
+    return new List<Client>{
+        new Client{
+            ClientId = "",
+            ClientSecrets = new List<Secret>{},
+            AllowedGrantTYpes = GrantTypes.ResourceOwnerPassowrd,
+            AllowedScopes = new List<string>{
+                "for_mobile",
+                IdentityServerConstants.StandardScopes.OpenId,
+                IdentityServerConstants.StandardScopes.Profile,
+                IdentityServerConstants.StandardScopes.Address,
+                IdentityServerConstants.StandardScopes.Email,
+                IdentityServerConstants.StandardScopes.Phone,
+                "roles" //这里和IdentityResource中的对应
+            }
+        }
+    };
+}
+```
+
+种子数据是如何加上的呢？
+
+```
+var host = CreateWebHostBuilder(args).Build();
+using(var scope = host.Services.CreateScope())
+{
+    var services = scope.ServiceProvider;
+
+    var userManager = services.GetRequestService<UserManager<ApplicationUser>>();
+    var roleManager = services.GetRequiredServce<RoleManager<ApplicationRole>>();
+    SeedData.EnsureSeedData(servcies, userManager, roleManager).Wait();
+}
+
+host.Run();
+```
+
+接着往下走
+```
+public static async Task EnsureSeedData(IServiceProvider serviceProvider, UserManager<ApplicationUser> userManager, RoleManager<ApplicationRole> roleManager)
+{
+    //先保证所有的上下文数据库完成了迁移
+    serviceProvider.GetRequestSerivce<ApplicationDbContext>().Database.Migrate();
+    serviceProvider.GetRequredService<ConfigurationDbContext>().Database.Migrate();
+    serviceProvider.GetRequriedService<PersistedGrantDbContext>().Database.Migrate();
+
+    //确认和ConfigurationDbContext相关的几张表
+    if(!context.Clients.Any())
+    {
+
+    }
+
+    if(!context.IdentityResources.Any())
+    {
+
+    }
+
+    if(!context.ApiResources.Any())
+    {
+
+    }
+
+    //种子化用户数据
+    if(!serviceProvider.GetRequredService<ApplicationDbContext>.Users.Any)
+    {
+
+    }
+}
+```
+
+最后客户端需要配置认证服务器。
+
+```
+services.AddAuthentication();
+app.UseAuthentication();
+```
+
+# 看一个例子
+
+> 在stackoverflow上提到了这样一个问题：有一台IdentityServer4的验证服务器，有多个Client, 当在某个Client的API中重置密码产生新的token,这个token在其它client就不生效了。
+
+更新密码产生新的token的写法：
+
+```
+var token = await _userManager.GeneratePasswordResetTokenAsync(appUser);
+```
+
+IdentityServer4的配置：
+```
+var migrationAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
+
+services
+    .AddIdentity<ApplicationUser, IdentityRole>(options => {
+        options.Lockout.AllowedForNewUsers = true;
+        options.Lockout.DefaultLockoutTimeSpan = new System.TimeSpan(12,0,0);
+        options.Lockout.MaxFailedAccessAttempts = int.Parse(Configuration["MaxFailedAttempts"]);
+    })
+    .AddEntityFrameworkStores<ApplicationDbContext>()
+    .AddDefaultTOkenProviders();
+
+var builder = services.AddIdentityServer(options => {
+    options.Events.RaiseErrorEvents = true;
+    options.Events.RaiseInformationEvents = true;
+    options.Events.RaiseFailureEvents = true;
+    options.Events.RaiseSuccessEvents = ture;
+    options.Authentication.CookieSlidingExpiration = ture;
+})
+    .AddAspNetIdentity<ApplicationUser>()
+    .AddConfigurationStore(options => {
+        options.ConfigureDbContext = b =>
+            b.UseSqlServer(connectionString, sql => sql.MirationsAssembly(migrationAssembly));
+
+            options.DefaultSchemma = Globals.Some;
+    })
+    .AddOperationalStore(options => {
+        options.ConfigureDbContext = b => 
+            b.UseSqlServer(connectionString, sql => sql.MigrationAssembly(migrationAssembly));
+
+            options.DefaultSchema = "";
+            opitions.EnalbeTokenCleanup = true;
+            options.TokenCleanupInterval = 30;
+    })
+    .AddProfileServce<CustomProfileService>()
+    .AddSigninCredentialFromConfig();
+```
+
+在一个客户端的API的`Startup.cs`中
+```
+services.AddTransient<IUserStore<ApplicationUser>, UserStore<ApplicaitonUser, IdentityRole, ApplicationDBContext>>();
+services.AddTransient<IRoleStore<IdentityRole>, RoleStore<IdentityRole, ApplicatioDbContext>>();
+services.AddTransient<IPasswordHasher<ApplicationUser>, PasswordHasher<ApplicationUser>>();
+services.AddTransient<ILookupNormalizer, UpperInvariantLookupNomalizer>();
+servces.AddTransient<IdentityErrorDescriber>();
+
+var identityBuilder = new IdentityBuilder(typeof(Applicationuser), typeof(IdentityRole), services);
+identityBuilder.AddTokenProvider("Default", typeof(DataProtectorTokenProvider<ApplicationUser>));
+services.AddTransient<UserManager<ApplicationUser>>();
+```
+
+在底下的回复中，让所有客户端的API和IdentityServer4 实例使用同一个ASP.NET Core Data Protection。使用Redis缓存作为分布式缓存，让所有的客户端API和IdentityServer4在创建token的时候使用同样的key。在所有的`Startup.cs`中：
+
+```
+services.AddSession();
+services.Configure<RedisConfiguration>(Configuration.GetSection("redis"));//配置类全局公用
+services.AddDistributedRedisCache(options => {
+
+    options.Configuration = Configuration.GetValue<string>("redis:host");
+});//配置redis
+
+var redis = Connectionmultiplexer.Connect(Configuration.GetValue<string>("redis:host"));
+services.AddDataProtection()
+    .PersisteKeysToRedis(redis, "DataProtection-Keys")
+    .SetApplicationName();
+
+services.AddTransient<ICacheService, CacheService>();
+```
+
+在客户端API的请求管道中
+```
+app.UseAuthentication();
+app.UseSession();
+```
+
+在IdentityServer4的请求管道中
+```
+app.UseIdentityServer();
+app.UseSession();
+```
+
+也就是说在生成token的时候和DataProtection有关，让所有的客户端API和IdentityServer4使用同样的key是这里的解决思路。
+
+# 尝试
+
+在API的项目首先实现`IdentityUser`接口。
+
+```
+using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
+public class ApplicationUser : IdentityUser
+{
+    public bool IsAmin{get;set;}
+    public string DataEventRecourdsRole{get;set;}
+    public string SecuredFilesRole{get;set;}
+    public DateTime AccountExpires{get;set;}
+}
+```
+
+需要把新创建的`IdentityUser`放到DI容器中，并且配有上下文。
+
+```
+services.AddDbContext<ApplicationDbContext>(options => options.UseSqllite(Configuration.GetConnectionString("")));
+
+services.AddIdentity<ApplicationUser, IdentityRole>()
+    .AddEntityFrameworkStores<ApplicationDbContext>()
+    .AddDefaultTokenProviders();
+```
+
+在web中创建用户
+```
+
+private readonly UserManager<ApplicationUser> _userManager;
+private readonly SignInManager<ApplicationUser> _signInManager;
+
+[HttpPost]
+[AllowAnonymous]
+[ValidateAntiForgeryToken]
+public async Task<IActioinResult> Register(RegisterViewModel model, string returnUrl)
+{
+    ViewData["ReturnUrl"] = returnUrl;
+    if(ModelState.IsValid)
+    {
+        var dataEventsRole = "dataEventRecords.user";
+        var secureFilesRole = "securedFiles.user";
+        if(model.IsAdmin)
+        {
+            dataEventsRole = "dataEventRecourds.admin";
+            securedFilesRole = "securedFiles.admin";
+        }
+
+        var user = new ApplicationUser{
+            UserName = model.Email,
+            Email = model.Email,
+            IsAdmin = model.IsAdmin,
+            DataEventRecordsRole = dataEventsRole,
+            SecuredFilesRole = securedFilesRole,
+            AccountExpres = DateTime.UtcNow.AddDays(7.0)
+        };
+
+        var result = await _userManager.CreateAsync(user, model.Password);
+        if(result.Succeeded)
+        {
+            await _signInManager.SignInAsync(user, isPersistent:false);
+            _logger.LogInformation();
+            return RedirectToLocal(returnUrl);
+        }
+        AddErrors(result);
+    }
+    return View(model);
+}
+```
+
+在`ApplicationUser`中添加的属性如果要开放出去给到其它的客户端，需要通过`IProfileServce`。
+
+```
+public class IdentityWithAdditionalClaimsProfileService  : IProfileService
+{
+    private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
+    private readonly UserManager<ApplicationUser> _userManager;
+
+    public async Task GetPfoileDataAsync(ProfileDataRequestContext context)
+    {
+        var sub = context.Subject.GetSubjectId();
+        var user = await _userManager.FindByIdAsync(sub);
+        var principal = await _claimsFactory.CreateAsync(user);
+
+        var claims = principal.Claims.ToList();
+        claims = claims.Where(claim => context.RequestedClaimTypes.Containes(claim.Type)).ToList();
+        claims.Add(new Claim(JwtClaimTypes.GivenName, user.UserName));
+
+        if(user.IsAdmin)
+        {
+            claims.Add(new Claim(JwtClimTypes.Role, "admin"));
+        }
+        else
+        {
+            claims.Add(new Claim(JwtClaimTypes.Role,"user"));
+        }
+
+        if(user.DataEventRecordsRole == "dataEventRecords.admin")
+        {
+            claims.Add(new Cliam(JwtClaimTypes.Role, "dataEventRecords.admin"));
+            cliams.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
+            claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
+            claims.Add(new Claim(JwtClaimTypes.Scoe, "dataEventRecords"));
+        }
+        else
+        {
+
+        }
+        claims.Add(new Claim(IdentityServerConstants.StandardScopes.Email, user.Email));
+        context.IssuedClaims = claims;
+
+    }
+}
+```
+
+以上在`ApplicationUser`中的属性值被加到了claims中，在`Startup`中也可以加适当的policy.
+
+```
+services.AddAuthorization(options => {
+    options.AddPolicy("dataEventRecordsAdmin", policyAdmin => {
+        policyAdmin.RequireClaim("role","dataEventRecords.admin")
+    })
+})
+```
+
+最后Policy被用到控制器中。
+```
+[Authorize("policyname")]
+public class SomeController : Controller
+```
+
+接下来提供一个接口给外界调用。
+[Authorize]
+[Produces("application/json")]
+[Route(api/UserManagement)]
+public class UserManagementController : Controller
+{
+    private readonly ApplicationDbContext _context;
+
+    public IActionResult Get()
+    {
+        var users = _context.Users.ToList();
+        var result = new List<UserDto>();
+        return Ok(result);
+    }
+
+    public void Put(string id, [FromBody]UserDto userDto)
+    {
+        var user = _context.Users.First(t=>t.Id == id);
+        user.IsAdmin = userDto.IsAdmin;
+        if(userDto.IsActive)
+        {
+            if(user.AccountExpres < DateTime.UtcNow)
+            {
+                user.AccountExpres = DateTime.UtcNow.AddDays(7.0);
+            }
+        }
+        else
+        {
+            user.AccountExpires = new DateTime();
+        }
+
+        _context.Users.Update(user);
+        _context.SaveChanges();
+    }
+}