一、前言
回顧:基于.NetCore3.1系列 —— 認證授權方案之授權揭秘 (上篇)
在上一篇中,主要講解了授權在配置方面的源碼,從添加授權配置開始,我們引入了需要的授權配置選項,而不同的授權要求建構不同的政策方式,進而實作一種自己滿意的授權需求配置要求。
在這一節中,繼續上一篇的内容往下深入了解授權内部機制的奧秘以及是如何實作執行授權流程的。
二、說明
在上一篇中,我們通過定義授權政策,檢視源碼發現,在對授權配置AuthorizationOptions之後,授權系統通過DI的方式注冊了幾個核心的預設實作。
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsISPrdEZwZ1Rh5WNXp1bwNjW1ZUba9VZwlHdsATOfd3bkFGazxCMx8VesATMfhHLlN3XnxCMwEzX0xiRGZkRGZ0Xy9GbvNGLpZTY1EmMZVDUSFTU4VFRR9Fd4VGdsYTMfVmepNHLrJXYtJXZ0F2dvwVZnFWbp1zczV2YvJHctM3cv1Ce-cmbw5yN0UTNiVjMlNTM4QGOxcDOlRWNlljM4ETYmRDZjNWY38CX0IzLcRDMxIDMy8CXn9Gbi9CXzV2Zh1WavwVbvNmLvR3YxUjL1M3Lc9CX6MHc0RHaiojIsJye.png)
之前我們進行對步驟一的授權有了大概了解,是以下面我們将對步驟二進行的注冊對象進行說明。
三、開始
3.1 IAuthorizationService
授權服務接口,用來确定授權是否成功的主要服務,接口的定義為
public interface IAuthorizationService
{
TaskAuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerablerequirements);
TaskAuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);
}
兩個接口的參數不同之處在于IAuthorizationRequirement和policyName,分别是指定資源的一組特定要求和指定的授權名稱。
同時asp.net core還為IAuthorizationService 接口拓展了幾個方法:
public static class AuthorizationServiceExtensions
{
public static TaskAuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, object resource, IAuthorizationRequirement requirement)
{
if (service == null)
{
throw new ArgumentNullException(nameof(service));
}
if (requirement == null)
{
throw new ArgumentNullException(nameof(requirement));
}
return service.AuthorizeAsync(user, resource, new IAuthorizationRequirement[] { requirement });
}
public static TaskAuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, object resource, AuthorizationPolicy policy)
{
if (service == null)
{
throw new ArgumentNullException(nameof(service));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
return service.AuthorizeAsync(user, resource, policy.Requirements);
}
public static TaskAuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, AuthorizationPolicy policy)
{
if (service == null)
{
throw new ArgumentNullException(nameof(service));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
return service.AuthorizeAsync(user, resource: null, policy: policy);
}
public static TaskAuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, string policyName)
{
if (service == null)
{
throw new ArgumentNullException(nameof(service));
}
if (policyName == null)
{
throw new ArgumentNullException(nameof(policyName));
}
return service.AuthorizeAsync(user, resource: null, policyName: policyName);
}
}
接口的預設實作為DefaultAuthorizationService
DefaultAuthorizationService的實作主要是用來對 IAuthorizationRequirement對象的授權檢驗。
public class DefaultAuthorizationService : IAuthorizationService
{
private readonly AuthorizationOptions _options;
private readonly IAuthorizationHandlerContextFactory _contextFactory;
private readonly IAuthorizationHandlerProvider _handlers;
private readonly IAuthorizationEvaluator _evaluator;
private readonly IAuthorizationPolicyProvider _policyProvider;
private readonly ILogger _logger;
public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IAuthorizationHandlerProvider handlers, ILoggerlogger, IAuthorizationHandlerContextFactory contextFactory, IAuthorizationEvaluator evaluator, IOptionsoptions)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
if (contextFactory == null)
{
throw new ArgumentNullException(nameof(contextFactory));
}
if (evaluator == null)
{
throw new ArgumentNullException(nameof(evaluator));
}
_options = options.Value;
_handlers = handlers;
_policyProvider = policyProvider;
_logger = logger;
_evaluator = evaluator;
_contextFactory = contextFactory;
}
public async TaskAuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerablerequirements)
{
if (requirements == null)
{
throw new ArgumentNullException(nameof(requirements));
}
var authContext = _contextFactory.CreateContext(requirements, user, resource);
var handlers = await _handlers.GetHandlersAsync(authContext);
foreach (var handler in handlers)
{
await handler.HandleAsync(authContext);
if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed)
{
break;
}
}
var result = _evaluator.Evaluate(authContext);
if (result.Succeeded)
{
_logger.UserAuthorizationSucceeded();
}
else
{
_logger.UserAuthorizationFailed();
}
return result;
}
public async TaskAuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
{
if (policyName == null)
{
throw new ArgumentNullException(nameof(policyName));
}
var policy = await _policyProvider.GetPolicyAsync(policyName);
if (policy == null)
{
throw new InvalidOperationException($"No policy found: {policyName}.");
}
return await this.AuthorizeAsync(user, resource, policy);
}
}
通過上面的代碼可以發現,在對象執行個體中,通過構造函數的方式分别注入了IAuthorizationPolicyProvider、IAuthorizationHandlerProvider、IAuthorizationEvaluator、IAuthorizationHandlerContextFactory這幾個核心服務,以及配置選項的AuthorizationOptions對象,再通過實作的方法AuthorizeAsync可以看出,在方法中調用GetPolicyAsync來擷取Requirements,具體的可以看一下上一節的AuthorizationPolicy,而後在根據授權上下文來判斷。
這裡就用到了注入的幾個核心對象來實作完成授權的。下面會分别介紹到的。
3.2 IAuthorizationPolicyProvider
由上面的IAuthorizationServer接口的預設實作可以發現,在進行授權檢驗的時候,DefaultAuthorizationService會利用注入的IAuthorizationPolicyProvider服務來提供注冊的授權政策,是以我們檢視源碼發現,接口提供 了預設的授權政策GetDefaultPolicyAsync和指定名稱的授權政策·GetPolicyAsync(string policyName)的方法。
public interface IAuthorizationPolicyProvider
{
TaskGetPolicyAsync(string policyName);
TaskGetDefaultPolicyAsync();
TaskGetFallbackPolicyAsync();
}
再加上在使用[Authorize]進行政策授權的時候,會根據提供的接口方法來擷取指定的授權政策。
IAuthorizationPolicyProvider來根據名稱擷取到政策對象,預設實作為DefaultAuthorizationPolicyProvider:
DefaultAuthorizationPolicyProvider
public class DefaultAuthorizationPolicyProvider : IAuthorizationPolicyProvider
{
private readonly AuthorizationOptions _options;
private Task_cachedDefaultPolicy;
private Task_cachedFallbackPolicy;
public DefaultAuthorizationPolicyProvider(IOptionsoptions)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
_options = options.Value;
}
public TaskGetDefaultPolicyAsync()
{
return GetCachedPolicy(ref _cachedDefaultPolicy, _options.DefaultPolicy);
}
public TaskGetFallbackPolicyAsync()
{
return GetCachedPolicy(ref _cachedFallbackPolicy, _options.FallbackPolicy);
}
private TaskGetCachedPolicy(ref TaskcachedPolicy, AuthorizationPolicy currentPolicy)
{
var local = cachedPolicy;
if (local == null || local.Result != currentPolicy)
{
cachedPolicy = local = Task.FromResult(currentPolicy);
}
return local;
}
public virtual TaskGetPolicyAsync(string policyName)
{
return Task.FromResult(_options.GetPolicy(policyName));
}
}
由上面的代碼可以看出,在實作DefaultAuthorizationPolicyProvider對象進行構造函數的方式注入了IOptions服務來提供配置選項AuthorizationOptions(不懂的可以檢視上一篇的AuthorizationOptions),再通過實作的方法可以看出是如何擷取到注冊的授權政策的了。附加一個圖檔
在上一章中介紹過,我們定義的政策都儲存在AuthorizationOptions的中PolicyMap字典中,由上代碼可以發現這字典的用處。
3.3 IAuthorizationHandlerContextFactory
先看看這個接口的源代碼
public interface IAuthorizationHandlerContextFactory
{
AuthorizationHandlerContext CreateContext(IEnumerablerequirements, ClaimsPrincipal user, object resource);
}
接口定義了一個唯一的方法CreateContext,作用在于建立授權上下文AuthorizationHandlerContext對象。接口預設實作方式
public class DefaultAuthorizationHandlerContextFactory : IAuthorizationHandlerContextFactory
{
public virtual AuthorizationHandlerContext CreateContext(IEnumerablerequirements, ClaimsPrincipal user, object resource)
{
return new AuthorizationHandlerContext(requirements, user, resource);
}
}
再來看看AuthorizationHandlerContext授權上下文對象,可以看出,上下文中主要包括使用者的Claims和授權政策的要求Requirements
public class AuthorizationHandlerContext
{
private HashSet_pendingRequirements;
private bool _failCalled;
private bool _succeedCalled;
public AuthorizationHandlerContext(
IEnumerablerequirements,
ClaimsPrincipal user,
object resource)
{
if (requirements == null)
{
throw new ArgumentNullException(nameof(requirements));
}
Requirements = requirements;
User = user;
Resource = resource;
_pendingRequirements = new HashSet(requirements);
}
public virtual IEnumerableRequirements { get; }
public virtual ClaimsPrincipal User { get; }
public virtual object Resource { get; }
public virtual IEnumerablePendingRequirements { get { return _pendingRequirements; } }
public virtual bool HasFailed { get { return _failCalled; } }
public virtual bool HasSucceeded
{
get
{
return !_failCalled && _succeedCalled && !PendingRequirements.Any();
}
}
public virtual void Fail()
{
_failCalled = true;
}
public virtual void Succeed(IAuthorizationRequirement requirement)
{
_succeedCalled = true;
_pendingRequirements.Remove(requirement);
}
}
是以,在下面我們剛好會提到了IAuthorizationHandlerProvider 中的方法,可以根據授權上下文擷取到請求調用的處理程式。
3.4 IAuthorizationHandlerProvider
這個是接口的方法,作用是擷取所有的授權Handler
public interface IAuthorizationHandlerProvider
{
Task<IEnumerable> GetHandlersAsync(AuthorizationHandlerContext context);
}
根據之前提到的授權上下文作為GetHandlersAsync方法參數對象來提取IAuthorizationHandler對象。
預設接口的實作為DefaultAuthorizationHandlerProvider, 處理程式的預設實作,為授權請求提供IAuthorizationHandler
public class DefaultAuthorizationHandlerProvider : IAuthorizationHandlerProvider
{
private readonly IEnumerable_handlers;
public DefaultAuthorizationHandlerProvider(IEnumerablehandlers)
{
if (handlers == null)
{
throw new ArgumentNullException(nameof(handlers));
}
_handlers = handlers;
}
public Task<IEnumerable> GetHandlersAsync(AuthorizationHandlerContext context)
=> Task.FromResult(_handlers);
}
從預設實作的方式可以看出,利用構造函數的方式注入預設的IAuthorizationHandler的對象,但是我們再看看接口的實作方法可以發現,GetHandlersAsync傳回的IAuthorizationHandler對象并不是從給定的AuthorizationHandlerContext上下文中擷取的,而是直接通過構造函數的方式注入得到的。
這個時候,你可能會問,那麼IAuthorizationHandler是在哪裡注入的呢?
對應下面的 IAuthorizationHandler
3.5 IAuthorizationEvaluator
由DefaultAuthorizationService中的授權方法過程調用了
var result = _evaluator.Evaluate(authContext);
IAuthorizationEvaluator接口,來确定授權結果是否成功。
public interface IAuthorizationEvaluator
{
AuthorizationResult Evaluate(AuthorizationHandlerContext context);
}
IAuthorizationEvaluator的唯一方法Evaluate,該方法會根據之前提供的授權上下文傳回一個表示授權成功的AuthorizationResult對象。預設實作為DefaultAuthorizationEvaluator
public class DefaultAuthorizationEvaluator : IAuthorizationEvaluator
{
public AuthorizationResult Evaluate(AuthorizationHandlerContext context)
=> context.HasSucceeded
? AuthorizationResult.Success()
: AuthorizationResult.Failed(context.HasFailed
? AuthorizationFailure.ExplicitFail()
: AuthorizationFailure.Failed(context.PendingRequirements));
}
由預設實作可以看出,AuthorizationHandlerContext對象的HasSucceeded屬性決定了授權是否成功。當驗證通過時,授權上下文中的HasSucceeded才會為True。
其中的AuthorizationResult和AuthorizationFailure分别為
public class AuthorizationResult
{
private AuthorizationResult() { }
public bool Succeeded { get; private set; }
public AuthorizationFailure Failure { get; private set; }
public static AuthorizationResult Success() => new AuthorizationResult { Succeeded = true };
public static AuthorizationResult Failed(AuthorizationFailure failure) => new AuthorizationResult { Failure = failure };
public static AuthorizationResult Failed() => new AuthorizationResult { Failure = AuthorizationFailure.ExplicitFail() };
}
public class AuthorizationFailure
{
private AuthorizationFailure() { }
public bool FailCalled { get; private set; }
public IEnumerableFailedRequirements { get;private set; }
public static AuthorizationFailure ExplicitFail()
=> new AuthorizationFailure
{
FailCalled = true,
FailedRequirements = new IAuthorizationRequirement[0]
};
public static AuthorizationFailure Failed(IEnumerablefailed)
=> new AuthorizationFailure { FailedRequirements = failed };
}
這裡的兩個授權結果 正是IAuthorizationService 進行實作授權AuthorizeAsync來完成校驗傳回的結果。
3.6 IAuthorizationHandler
接口方式實作,判斷是否授權,實作此接口的類
public interface IAuthorizationHandler
{
Task HandleAsync(AuthorizationHandlerContext context);
}
如果允許授權,可通過此接口的方法來決定是否允許授權。
之前我們還介紹到,我們定義的Requirement,可以直接實作IAuthorizationHandler接口,也可以單獨定義Handler,但是需要注冊到DI系統中去。
在預設的AuthorizationHandlerProvider中,會從DI系統中擷取到我們注冊的所有Handler,最終調用其HandleAsync方法。
我們在實作IAuthorizationHandler接口時,通常是繼承自AuthorizationHandler來實作,它有如下定義:
public abstract class AuthorizationHandler: IAuthorizationHandler where TRequirement : IAuthorizationRequirement { public virtual async Task HandleAsync(AuthorizationHandlerContext context) { foreach (var req in context.Requirements.OfType()) { await HandleRequirementAsync(context, req); } } protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement); }
如上,首先會在HandleAsync過濾出與Requirement對比對的Handler,然後再調用其HandleRequirementAsync方法。
那我們定義的直接實作IAuthorizationHandler了接口的Requirement又是如何執行的呢?
我們可以發現,IAuthorizationHandler在AddAuthorization拓展方法中可以看到預設注冊了一個PassThroughAuthorizationHandler預設實作為:
public class PassThroughAuthorizationHandler : IAuthorizationHandler
{
public async Task HandleAsync(AuthorizationHandlerContext context)
{
foreach (var handler in context.Requirements.OfType())
{
await handler.HandleAsync(context);
}
}
}
它負責調用該政策中所有實作了IAuthorizationHandler接口的Requirement。通過接口實作的方法可以看出,當PassThroughAuthorizationHandler對象的HandleAsync方法被執行的時候,它會從AuthroizationHanderContext的Requirements屬性中提取所有的IAuthoizationHandler對象,并逐個調用它們的HandleAsync方法來實施授權檢驗。
是以可以看到的出,PassThroughAuthorizationHandler是一個特殊并且重要的授權處理器類型,其特殊之處在于它并沒有實作針對某個具體規則的授權檢驗,但是AuthorizationHandlerContext上下文所有的IAuthorizationHandler都是通過該對象驅動執行的。
3.7 IPolicyEvaluator
接口的方式實作,為特定需求類型調用的授權處理程式的基類
public interface IPolicyEvaluator
{
TaskAuthenticateAsync(AuthorizationPolicy policy, HttpContext context);
TaskAuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
}
定義了兩個方法AuthenticateAsync和AuthorizeAsync方法
IPolicyEvaluator的預設實作為PolicyEvaluator
public class PolicyEvaluator : IPolicyEvaluator
{
private readonly IAuthorizationService _authorization;
public PolicyEvaluator(IAuthorizationService authorization)
{
_authorization = authorization;
}
public virtual async TaskAuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
{
if (policy.AuthenticationSchemes != null && policy.AuthenticationSchemes.Count > 0)
{
ClaimsPrincipal newPrincipal = null;
foreach (var scheme in policy.AuthenticationSchemes)
{
var result = await context.AuthenticateAsync(scheme);
if (result != null && result.Succeeded)
{
newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, result.Principal);
}
}
if (newPrincipal != null)
{
context.User = newPrincipal;
return AuthenticateResult.Success(new AuthenticationTicket(newPrincipal, string.Join(";", policy.AuthenticationSchemes)));
}
else
{
context.User = new ClaimsPrincipal(new ClaimsIdentity());
return AuthenticateResult.NoResult();
}
}
return (context.User?.Identity?.IsAuthenticated ?? false)
? AuthenticateResult.Success(new AuthenticationTicket(context.User, "context.User"))
: AuthenticateResult.NoResult();
}
public virtual async TaskAuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded)
{
return PolicyAuthorizationResult.Success();
}
// If authentication was successful, return forbidden, otherwise challenge
return (authenticationResult.Succeeded)
? PolicyAuthorizationResult.Forbid()
: PolicyAuthorizationResult.Challenge();
}
}
授權中間件委托它來實作身份驗證和授權處理,它内部會調用AuthorizationService,進而執行所有授權處理器AuthorizationHandler, (在後面會提到授權中間件用到這兩個方法)
3.7.1、AuthenticateAsync
當授權政策沒有設定AuthenticationSchemes,則隻判斷下目前請求是否已做身份驗證,若做了就傳回成功
當授權政策設定了AuthenticationSchemes,則周遊身份驗證方案逐個進行身份驗證處理 。
其中context.User就是使用context.AuthenticateAsync(DefaultAuthenticateScheme)來指派的,将所有得到的使用者辨別重組成一個複合的使用者辨別。
當我們希望使用非預設的Scheme,或者是想合并多個認證Scheme的Claims時,就需要使用基于Scheme的授權來重置Claims了。
它的實作也很簡單,直接使用我們在授權政策中指定的Schemes來依次調用認證服務的AuthenticateAsync方法,并将生成的Claims合并,最後傳回我們熟悉的AuthenticateResult認證結果。
3.7.2、AuthorizeAsync
該方法會根據Requirements來完成授權,具體的實作是通過調用IAuthorizationService調用AuthorizeAsync來實作的。
最終傳回的是一個PolicyAuthorizationResult對象,并在授權失敗時,根據認證結果來傳回Forbid(未授權)或Challenge(未登入)。
以上彙總
- 授權服務IAuthorizationService,接口的預設實作為DefaultAuthorizationService,進行授權驗證。
- 在會根據授權政策提供器IAuthorizationPolicyProvider來擷取指定名稱的授權。
- 通過授權處理器上下文對象工廠IAuthorizationHandlerContextFactory授權處理器AuthorizationHandler在授權時需要傳入AuthorizationHandlerContext(上面說了授權完成後的結果也存儲在裡面)。是以在執行授權處理器之前需要建構這個上下文對象,就是通過這個工廠建構的,主要的資料來源就是 目前 或者 指定的 授權政策AuthorizationPolicy。
- 是以這個時候會授權處理提供其 IAuthorizationHandlerProvider,來擷取系統中所有授權處理器。
- 授權評估器IAuthorizationEvaluator來确定授權結果是否成功,在授權處理器AuthorizationHandler在執行完授權後,結果是存儲在AuthorizationHandlerContext中的,這裡的評估器隻是根據AuthorizationHandlerContext建立一個授權結果AuthorizationResult。
- 上面所說的授權處理器就是IAuthorizationHandler,處理器中包含主要的授權邏輯,在處理的過程中會将所有的授權處理器一一驗證。
- 是以在授權中間件中會利用IPolicyEvaluator中實作的身份認證和授權處理方法來調用AuthorizationService來執行所有的處理器。
四、中間件
在Configure中注冊管道:運作使用調用方法來配置Http請求管道
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{ app.UseRouting();
//開啟認證授權
app.UseAuthentication();
app.UseAuthorization();
}
在這裡使用了授權中間件來檢查授權,來看看中間件的源碼AuthorizationMiddleware
public class AuthorizationMiddleware
{
// Property key is used by Endpoint routing to determine if Authorization has run
private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked";
private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object();
private readonly RequestDelegate _next;
private readonly IAuthorizationPolicyProvider _policyProvider;
public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider)
{
_next = next ?? throw new ArgumentNullException(nameof(next));
_policyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));
}
public async Task Invoke(HttpContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var endpoint = context.GetEndpoint();
if (endpoint != null)
{
context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue;
}
var authorizeData = endpoint?.Metadata.GetOrderedMetadata() ?? Array.Empty();
var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);
if (policy == null)
{
await _next(context);
return;
}
var policyEvaluator = context.RequestServices.GetRequiredService();
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
// Allow Anonymous skips all authorization
if (endpoint?.Metadata.GetMetadata() != null)
{
await _next(context);
return;
}
// Note that the resource will be null if there is no matched endpoint
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource: endpoint);
if (authorizeResult.Challenged)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ChallengeAsync(scheme);
}
}
else
{
await context.ChallengeAsync();
}
return;
}
else if (authorizeResult.Forbidden)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ForbidAsync(scheme);
}
}
else
{
await context.ForbidAsync();
}
return;
}
await _next(context);
}
}
- 拿到目前請求的的終結點
var endpoint = context.GetEndpoint();
- 在目前請求拿到終結點endpoint的時候,會通過終結點拿到關聯的IAuthorizeData集合
var authorizeData = endpoint?.Metadata.GetOrderedMetadata() ?? Array.Empty();
- 将根據IAuthorizeData集合調用AuthorizationPolicy.CombineAsync()來建立組合政策(具體了可以看一下上一章) ( 用例: [Authorize(Policy = "BaseRole")] )
var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);
- IPolicyEvaluator擷取政策評估器對得到的組合政策進行身份驗證,多種身份驗證得到的使用者證件資訊會合并進HttpContext.User
var policyEvaluator = context.RequestServices.GetRequiredService();
var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context);
- 當使用[AllowAnonymous]的時候,則直接跳過授權檢驗。
if (endpoint?.Metadata.GetMetadata() != null)
{
await _next(context);
return;
}
- 将IPolicyEvaluator提供的AuthorizeAsync授權檢查方法,進行政策授權檢查。
var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource: endpoint);
- 當進行授權時,周遊政策所有的身份驗證方案,進行質詢,若政策裡木有身份驗證方案則使用預設身份驗證方案進行質詢。
if (authorizeResult.Challenged)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ChallengeAsync(scheme);
}
}
else
{
await context.ChallengeAsync();
}
return;
}
else if (authorizeResult.Forbidden)
{
if (policy.AuthenticationSchemes.Any())
{
foreach (var scheme in policy.AuthenticationSchemes)
{
await context.ForbidAsync(scheme);
}
}
else
{
await context.ForbidAsync();
}
return;
}
五、總結
- 通過對上述的處理流程的分析,可以看出授權主要是通過IAuthorizationService來實作的,而我們進行使用隻需要提供授權政策的Requirement,非常友善靈活的使用。
- 從源碼權限設計來看,系統注冊了各種服務,實作多種預設服務,加上預設的處理方式也滿足了大部分應用需求, 是以可以看出這一塊的功能還是很強大的,就算我們想通過自定義的方式來實作,也可以通過某些接口來實作拓展。
- 其中有很多核心源碼怕說的不夠清楚,是以在平時的開發項目中,再去看官方文檔或源碼這樣了解應該更容易。
- 如果有不對的或不了解的地方,希望大家可以多多指正,提出問題,一起讨論,不斷學習,共同進步。
- 參考的文檔 和官方源碼