diff --git a/Tiobon.Core.Extensions/ServiceExtensions/AuthorizationSetup.cs b/Tiobon.Core.Extensions/ServiceExtensions/AuthorizationSetup.cs
index 3b553bd0..4c861827 100644
--- a/Tiobon.Core.Extensions/ServiceExtensions/AuthorizationSetup.cs
+++ b/Tiobon.Core.Extensions/ServiceExtensions/AuthorizationSetup.cs
@@ -1,99 +1,95 @@
-using Tiobon.Core.AuthHelper;
-using Tiobon.Core.Common;
-using Tiobon.Core.Common.AppConfig;
+using System.Security.Claims;
+using System.Text;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Tokens;
-using System;
-using System.Collections.Generic;
-using System.Security.Claims;
-using System.Text;
-using System.Security;
+using Tiobon.Core.AuthHelper;
+using Tiobon.Core.Common;
+using Tiobon.Core.Common.AppConfig;
-namespace Tiobon.Core.Extensions
+namespace Tiobon.Core.Extensions;
+
+///
+/// 系统 授权服务 配置
+///
+public static class AuthorizationSetup
{
- ///
- /// 系统 授权服务 配置
- ///
- public static class AuthorizationSetup
+ public static void AddAuthorizationSetup(this IServiceCollection services)
{
- public static void AddAuthorizationSetup(this IServiceCollection services)
+ if (services == null) throw new ArgumentNullException(nameof(services));
+
+ // 以下四种常见的授权方式。
+
+ // 1、这个很简单,其他什么都不用做, 只需要在API层的controller上边,增加特性即可
+ // [Authorize(Roles = "Admin,System")]
+
+
+ // 2、这个和上边的异曲同工,好处就是不用在controller中,写多个 roles 。
+ // 然后这么写 [Authorize(Policy = "Admin")]
+ services.AddAuthorization(options =>
+ {
+ options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());
+ options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());
+ options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System"));
+ options.AddPolicy("A_S_O", policy => policy.RequireRole("Admin", "System", "Others"));
+ });
+
+
+
+
+ #region 参数
+ //读取配置文件
+ var symmetricKeyAsBase64 = AppSecretConfig.Audience_Secret_String;
+ var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
+ var signingKey = new SymmetricSecurityKey(keyByteArray);
+ var Issuer = AppSettings.app(new string[] { "Audience", "Issuer" });
+ var Audience = AppSettings.app(new string[] { "Audience", "Audience" });
+ var ExpirationHourString = AppSettings.app(new string[] { "Audience", "ExpirationHour" });
+ var ExpirationHour = string.IsNullOrWhiteSpace(ExpirationHourString) ? 4 : Convert.ToInt32(ExpirationHourString) + 1;
+ var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
+
+ // 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值
+ var permission = new List();
+
+ // 角色与接口的权限要求参数
+ var permissionRequirement = new PermissionRequirement(
+ "/api/denied",// 拒绝授权的跳转地址(目前无用)
+ permission,
+ ClaimTypes.Role,//基于角色的授权
+ Issuer,//发行人
+ Audience,//听众
+ signingCredentials,//签名凭据
+ expiration: TimeSpan.FromSeconds(60 * 60 * ExpirationHour)//接口的过期时间
+ );
+ #endregion
+ // 3、自定义复杂的策略授权
+ services.AddAuthorization(options =>
{
- if (services == null) throw new ArgumentNullException(nameof(services));
-
- // 以下四种常见的授权方式。
-
- // 1、这个很简单,其他什么都不用做, 只需要在API层的controller上边,增加特性即可
- // [Authorize(Roles = "Admin,System")]
-
-
- // 2、这个和上边的异曲同工,好处就是不用在controller中,写多个 roles 。
- // 然后这么写 [Authorize(Policy = "Admin")]
- services.AddAuthorization(options =>
- {
- options.AddPolicy("Client", policy => policy.RequireRole("Client").Build());
- options.AddPolicy("Admin", policy => policy.RequireRole("Admin").Build());
- options.AddPolicy("SystemOrAdmin", policy => policy.RequireRole("Admin", "System"));
- options.AddPolicy("A_S_O", policy => policy.RequireRole("Admin", "System", "Others"));
- });
-
-
-
-
- #region 参数
- //读取配置文件
- var symmetricKeyAsBase64 = AppSecretConfig.Audience_Secret_String;
- var keyByteArray = Encoding.ASCII.GetBytes(symmetricKeyAsBase64);
- var signingKey = new SymmetricSecurityKey(keyByteArray);
- var Issuer = AppSettings.app(new string[] { "Audience", "Issuer" });
- var Audience = AppSettings.app(new string[] { "Audience", "Audience" });
- var ExpirationHourString = AppSettings.app(new string[] { "Audience", "ExpirationHour" });
- var ExpirationHour = string.IsNullOrWhiteSpace(ExpirationHourString) ? 4 : Convert.ToInt32(ExpirationHourString);
- var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
-
- // 如果要数据库动态绑定,这里先留个空,后边处理器里动态赋值
- var permission = new List();
-
- // 角色与接口的权限要求参数
- var permissionRequirement = new PermissionRequirement(
- "/api/denied",// 拒绝授权的跳转地址(目前无用)
- permission,
- ClaimTypes.Role,//基于角色的授权
- Issuer,//发行人
- Audience,//听众
- signingCredentials,//签名凭据
- expiration: TimeSpan.FromSeconds(240 * 60 * ExpirationHour)//接口的过期时间
- );
- #endregion
- // 3、自定义复杂的策略授权
- services.AddAuthorization(options =>
- {
- options.AddPolicy(Permissions.Name,
- policy => policy.Requirements.Add(permissionRequirement));
- });
-
-
- // 4、基于Scope策略授权
- //services.AddAuthorization(options =>
- //{
- // options.AddPolicy("Scope_TiobonModule_Policy", builder =>
- // {
- // //客户端Scope中包含Tiobon.core.api.TiobonModule才能访问
- // // 同时引用nuget包:IdentityServer4.AccessTokenValidation
- // builder.RequireScope("Tiobon.core.api.TiobonModule");
- // });
-
- // // 其他 Scope 策略
- // // ...
-
- //});
-
- // 这里冗余写了一次,因为很多人看不到
- services.AddSingleton();
- // 注入权限处理器
- services.AddScoped();
- services.AddSingleton(permissionRequirement);
- }
+ options.AddPolicy(Permissions.Name,
+ policy => policy.Requirements.Add(permissionRequirement));
+ });
+
+
+ // 4、基于Scope策略授权
+ //services.AddAuthorization(options =>
+ //{
+ // options.AddPolicy("Scope_TiobonModule_Policy", builder =>
+ // {
+ // //客户端Scope中包含Tiobon.core.api.TiobonModule才能访问
+ // // 同时引用nuget包:IdentityServer4.AccessTokenValidation
+ // builder.RequireScope("Tiobon.core.api.TiobonModule");
+ // });
+
+ // // 其他 Scope 策略
+ // // ...
+
+ //});
+
+ // 这里冗余写了一次,因为很多人看不到
+ services.AddSingleton();
+ // 注入权限处理器
+ services.AddScoped();
+ services.AddSingleton(permissionRequirement);
}
}