.net core 3.1 Identity Server4 (实现Microsoft登录) 电脑版发表于:2021/1/20 16:03 ![.netcore](https://img.tnblog.net/arcimg/hb/c857299a86d84ee7b26d181a31e58234.jpg ".netcore") >#.net core 3.1 Identity Server4 (实现Microsoft登录) [TOC] 创建授权应用 ------------ tn>我们先到Azure中注册应用:https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview ![](https://img.tnblog.net/arcimg/hb/facc92b4a0ad4cb38c88781392812749.png) tn>在 " 重定向 URI" 下,输入追加的开发 `URL/signin-microsoft` 。 例如 https://localhost:7200/signin-microsoft 。稍后在本示例中配置的 `Microsoft` 身份验证方案将自动处理路由中的请求 `/signin-microsoft` 以实现 `OAuth` 流。 ![](https://img.tnblog.net/arcimg/hb/47b67638902a4e74873edfe20da8ebce.png) tn>在左窗格中,选择`证书和密码`。在 `客户端密码` 下,添加`新客户端密码`,并复制 `客户端密钥` 的`值`。 ![](https://img.tnblog.net/arcimg/hb/3702077f1fa4489e9b2a557039a17bf7.png) tn>然后我们在`概述`中,获取到`应用程序(客户端) ID` ![](https://img.tnblog.net/arcimg/hb/8edb343f2e9c4f60bbc2fc829580a92f.png) 配置授权服务器 ------------ >### 添加依赖包 tn>我们在授权服务器中添加微软的授权包 ```csharp Install-Package Microsoft.AspNetCore.Authentication.MicrosoftAccount -Version 3.1.6 ``` ![](https://img.tnblog.net/arcimg/hb/e208d3aa75c44fdcbdfa251ed604298a.png) >### 添加配置 tn>我们在`Startup.cs`中,添加相对应的客户端ID,以及授权密码的值 ```csharp .AddMicrosoftAccount(microsoftOptions => { // 客户端ID microsoftOptions.ClientId = "125e5c7a-20d1-49ca-8b58-11bb4b994707"; // 授权密码的值 microsoftOptions.ClientSecret = "G_AU4Ap.EKDa.PVu4m0v4Z4tq.Ye~5q3OH"; microsoftOptions.CallbackPath = "/signin-microsoft"; }) ``` 测试运行 ------------ ![](https://img.tnblog.net/arcimg/hb/3152c1d5e2004f7eb77e8a4462d8f4a2.png) ![](https://img.tnblog.net/arcimg/hb/31db83944ff74c9cbb51e279c6db6bc1.png) ![](https://img.tnblog.net/arcimg/hb/35d9b8e5cec84a088f723d940b9dd63c.png) ![](https://img.tnblog.net/arcimg/hb/6f7bfad127554b0f9f20f91f41261c61.png) ![](https://img.tnblog.net/arcimg/hb/8618537a622c4da88ebd242bd1bb900a.png) 其他 ------------ >### 存储 Microsoft 客户端 ID 和机密 tn>用`机密管理器`存储敏感设置,如`Microsoft`客户端`ID`和机密值。找到当前授权服务器目录下,打开`Bash`或`powershell`,启用密钥存储。 ```bash dotnet user-secrets init ``` ![](https://img.tnblog.net/arcimg/hb/8c7b2578356145329cf3f0c59c55ba37.png) tn>然后我们的项目就会产生一个随机的Guid作为`UserSecretsId`可以用来访问我们机密的值。 ![](https://img.tnblog.net/arcimg/hb/2d8ffb01a28e49b1b0fe18c3a0677c24.png) tn>之后,将敏感设置存储在本地密钥存储中,并提供机密密钥`Authentication: Microsoft:ClientId`和 `Authentication : Microsoft:ClientSecret` ```bash dotnet user-secrets set "Authentication:Microsoft:ClientId" "<client-id>" dotnet user-secrets set "Authentication:Microsoft:ClientSecret" "<client-secret>" ``` tn>最后从机密中获取`ClientId`与`ClientSecret` ```csharp microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"]; microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"]; ``` >### 注销微软账户 tn2>可查阅该<a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow?WT.mc_id=Portal-Microsoft_AAD_RegisteredApps" target="_blank">文档</a> 我这里直接在Logout的时候做了一个url的跳转,代码如下: ```csharp [HttpGet] public async Task<IActionResult> Logout(string logoutId) { if (logoutId == null) { logoutId = await _interaction.CreateLogoutContextAsync(); } await _signInManager.SignOutAsync(); var logoutRequest = await _interaction.GetLogoutContextAsync(logoutId); var allurl = "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=" + logoutRequest.PostLogoutRedirectUri; return SignOut( new AuthenticationProperties { RedirectUri = allurl, }, "Identity.Application", "Identity.External", "Identity.TwoFactorRememberMe", "Identity.TwoFactorUserId", "idsrv", "idsrv.external" ); } ``` >### 切换成企业组织授权应用(工作与学生登录) tn2>修改配置 ```csharp string TenantId = Configuration.GetValue<string>("MicrosoftAccount:TenantId"); services.AddAuthentication() .AddMicrosoftAccount("mic", "Microsoft", microsoftOptions => { microsoftOptions.ClientId = ClientId; microsoftOptions.ClientSecret = ClientSecret; microsoftOptions.CallbackPath = CallbackPath; microsoftOptions.AuthorizationEndpoint = $"https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/authorize"; microsoftOptions.TokenEndpoint = $"https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token"; }) ``` tn2>TenantId可以设置三种值,默认是`common`,这里我们可以将其设置为`organizations` | 值 | 描述 | | ------------ | ------------ | | organizations | 在任何工作或学校帐户中登录用户。 | | common | 使用任何工作或学校帐户或Microsoft个人帐户登录用户。 | | consumers | 仅使用Microsoft个人帐户登录用户 | tn>但是需要注意的是:我们需要在Azure上所对应的应用注册里面的身份验证中设置账户类型。 ![](https://img.tnblog.net/arcimg/hb/fb6940be718f4c17b180a6cfc9a4c72d.JPG)