

OrchardCore.OpenId

OpenID Connect Module

OpenID Connect模块

OrchardCore.OpenId provides the following features

Core Components
核心组件
Entity Framework Core Stores
实体框架核心商店
Authorization Server
授权服务器
Management Interface
管理界面
Token Validation
令牌验证
OIDC Client
OIDC客户

Core Components

核心组件

Registers the core components used by the OpenID module.

注册OpenID模块使用的核心组件。

Entity Framework Core Stores

实体框架核心商店

Provides an Entity Framework Core 2.x adapter for the OpenID module.

为OpenID模块提供Entity Framework Core 2.x适配器。

Management Interface

管理界面

Allows adding, editing and removing the registered applications.

允许添加，编辑和删除已注册的应用程序。

Authorization Server

授权服务器

Enables authentication of external applications using the OpenID Connect/OAuth 2.0 standards.

使用OpenID Connect / OAuth 2.0标准启用外部应用程序的身份验证。

It is based on the OpenIddict library allowing

它基于[OpenIddict]（https://github.com/openiddict/openiddict-core）库，允许

Orchard Core to act as identity provider to support token authentication without the need of an external identity provider.

Orchard Core充当身份提供者以支持令牌身份验证，而无需外部身份提供者。

So, Orchard Core can also be used as an identity provider for centralizing the user access permissions to external applications, not only to Orchard Core services.

因此，Orchard Core还可以用作身份提供者，将用户访问权限集中到外部应用程序，而不仅仅是Orchard Core服务。

Flows supported: code/implicit/hybrid flows and client credentials/resource owner password grants.

支持的流程：[代码/隐式/混合流程]（http://openid.net/specs/openid-connect-core-1_0.html）和[客户端凭据/资源所有者密码授予]（https：//tools.ietf .ORG / HTML / rfc6749）。

Configuration

组态

Configuration can be set through the OpenID Connect settings menu in the admin dashboard and also through a recipe step.

可以通过管理仪表板中的_OpenID Connect_设置菜单以及配方步骤设置配置。

Available settings are:

可用的设置是：

Testing Mode: Enabling Testing mode, removes the need of providing a certificate for signing tokens providing an ephemeral key. Also removes the requirement of using an HTTPS for issuing tokens.

+测试模式：启用测试模式，无需为签名提供临时密钥的令牌提供证书。还消除了使用HTTPS颁发令牌的要求。

Token Format: there are two options:

+令牌格式：有两种选择：

JWT: This format uses signed JWT standard tokens (not encrypted). It requires that the SSL certificate being used is accepted as a trusted certificate by the client.

+ JWT：此格式使用签名的JWT标准令牌（未加密）。它要求客户端使用正在使用的SSL证书作为可信证书。

Encrypted: This format uses non-standard opaque tokens encrypted by the ASP.NET data protection block. It doesn't require the client to accept the SSL certificate as a trusted certificate.

+加密：此格式使用由ASP.NET数据保护块加密的非标准不透明令牌。它不要求客户端将SSL证书作为可信证书接受。

Authority: Orchard URL used by Orchard to act as an identity server.

+ Authority：Orchard用作身份服务器的Orchard URL。

Audiences: URLs of the resource servers for which the identity server issues valid JWT tokens.

+受众：身份服务器为其颁发有效JWT令牌的资源服务器的URL。

Certificate Store Location: CurrentUser/LocalMachine https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation(v=vs.110).aspx

+证书商店位置：CurrentUser / LocalMachine https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation(v=vs.110).aspx

Certificate Store Name: AddressBook/AuthRootCertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename(v=vs.110).aspx

+证书商店名称：AddressBook / AuthRootCertificateAuthority / Disallowed / My / Root / TrustedPeople / TrustedPublisher https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename(v=vs.110）的.aspx

Certificate Thumbprint: The thumbprint of the certificate (it is recommended to not use same certificate that is being used for SSL).

+证书指纹：证书的指纹（建议不要使用用于SSL的相同证书）。

Enable Token Endpoint.

+启用令牌端点。

Enable Authorization Endpoint.

+启用授权端点。

Enable Logout Endpoint.

+启用注销端点。

Enable User Info Endpoint.

+启用用户信息端点。

Allow Password Flow: It requires Token Endpoint is enabled. More info at https://tools.ietf.org/html/rfc6749#section-1.3.3

+允许密码流：它需要启用令牌端点。更多信息，请访问https://tools.ietf.org/html/rfc6749#section-1.3.3

Allow Client Credentials Flow: It requires Token Endpoint is enabled. More info at https://tools.ietf.org/html/rfc6749#section-1.3.4

+允许客户端凭据流：它要求启用令牌端点。更多信息，请访问https://tools.ietf.org/html/rfc6749#section-1.3.4

Allow Authorization Code Flow: It requires Authorization and Token Endpoints are enabled. More info at http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

+允许授权代码流程：它需要启用授权和令牌端点。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

Allow Implicit Flow: It requires Authorization Endpoint is enabled. More info at http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

+允许隐式流：它需要启用授权端点。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

Allow Refresh Token Flow: It allows to refresh access token using a refresh token. It can be used in combination with Password Flow, Authorization Code Flow and Hybrid Flow. More info at http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

+允许刷新令牌流：它允许使用刷新令牌刷新访问令牌。它可以与密码流，授权代码流和混合流一起使用。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

A sample of OpenID Connect Settings recipe step:

OpenID Connect设置配方步骤示例：


{

 <font color=#0099ff size=4 face="黑体">{</font> 


      "name": "OpenIdServerSettings",

      "TestingModeEnabled": false,

      "AccessTokenFormat": "JWT", //JWT or Encrypted

      "Authority": "https://www.orchardproject.net",

      "Audiences": ["https://www.orchardproject.net","https://orchardharvest.org/"],

      "CertificateStoreLocation": "LocalMachine", //More info: https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storelocation(v=vs.110).aspx

      "CertificateStoreName": "My", //More info: https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename(v=vs.110).aspx

      "CertificateThumbprint": "27CCA66EF38EF46CD9022431FB1FF0F2DF5CA1D7"

      "EnableTokenEndpoint": true,

      "EnableAuthorizationEndpoint": false,

      "EnableLogoutEndpoint": true,

      "EnableUserInfoEndpoint": true,

      "AllowPasswordFlow": true,

      "AllowClientCredentialsFlow": false,

      "AllowAuthorizationCodeFlow": false,

      "AllowRefreshTokenFlow": false,

      "AllowImplicitFlow": false

}

 <font color=#0099ff size=4 face="黑体">}</font>

Client OpenID Connect Apps Configuration

客户端OpenID Connect应用程序配置

OpenID Connect apps can be set through OpenID Connect Apps menu in the admin dashboard (through the Management Interface feature)

可以通过管理仪表板中的OpenID Connect Apps菜单（通过管理界面功能）设置OpenID Connect应用程序

and also through a recipe step.

并通过配方步骤。

OpenID Connect apps require the following configuration.

OpenID Connect应用程序需要以下配置。

Id: Unique identifier.

+ Id：唯一标识符。

Client Id: Client identifier of the application. It has to be provided by a client when requesting a valid token.

+ Client Id：应用程序的客户端标识符。它必须由客户端在请求有效令牌时提供。

Display Name: Display name associated with the current application.

+显示名称：与当前应用程序关联的显示名称。

Type: There are two options:

+类型：有两种选择：

Confidential: Confidential applications MUST send their client secret when communicating with the token and revocation endpoints. This guarantees that only the legit client can exchange an authorization code or get a refresh token.

+机密：机密应用程序在与令牌和吊销端点通信时必须发送其客户端机密。这保证了只有合法的客户端才能交换授权代码或获取刷新令牌。

Public: Public applications don't use client secret on their communications.

+ Public：公共应用程序不在其通信上使用客户端密钥。

Client Secret: Client secret is a password associated with the application. It will be required when the application is configured as Confidential.

+客户端密钥：客户端密钥是与应用程序关联的密码。将应用程序配置为机密时，将需要它。

Flows: If general OpenID Connect settings allow this flow, an app can also enable this flow.

+流程：如果常规OpenID Connect设置允许此流程，则应用程序也可以启用此流程。

Allow Password Flow: It requires Token Endpoint is enabled. More info at https://tools.ietf.org/html/rfc6749#section-1.3.3

+允许密码流：它需要启用令牌端点。更多信息，请访问https://tools.ietf.org/html/rfc6749#section-1.3.3

Allow Client Credentials Flow: It requires Token Endpoint is enabled. More info at https://tools.ietf.org/html/rfc6749#section-1.3.4

+允许客户端凭据流：它要求启用令牌端点。更多信息，请访问https://tools.ietf.org/html/rfc6749#section-1.3.4

Allow Authorization Code Flow: It requires Authorization and Token Endpoints are enabled. More info at http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

+允许授权代码流程：它需要启用授权和令牌端点。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

Allow Implicit Flow: It requires Authorization Endpoint is enabled. More info at http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

+允许隐式流：它需要启用授权端点。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

Allow Refresh Token Flow: It allows to refresh access token using a refresh token. It can be used in combination with Password Flow, Authorization Code Flow and Hybrid Flow. More info at http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

+允许刷新令牌流：它允许使用刷新令牌刷新访问令牌。它可以与密码流，授权代码流和混合流一起使用。更多信息，请访问http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens

Normalized RoleNames: This configuration is only required if Client Credentials Flow is enabled. It determines the roles assigned to the app when it is authenticated using that flow.

+ Normalized RoleNames：仅在启用Client Credentials Flow时才需要此配置。它确定在使用该流进行身份验证时分配给应用程序的角色。

Redirect Options: Those options are only required when Implicit Flow, Authorization Code Flow or Allow Hybrid Flow is required:

+重定向选项：仅在需要隐式流，授权代码流或允许混合流时才需要这些选项：

Logout Redirect Uri: logout callback URL

+ Logout Redirect Uri：注销回调URL

Redirect Uri: callback URL

+重定向Uri：回调URL

Skip Consent: sets whether a consent form has to be completed by the user after log in.

+跳过同意：设置用户在登录后是否必须完成同意书。

A sample of OpenID Connect App recipe step:

OpenID Connect App配方步骤示例：


{

 <font color=#0099ff size=4 face="黑体">{</font> 


      "name": "openidapplication",

    <font color=#0099ff size=4 face="黑体">“name”：“openidapplication”，</font> 


      "ClientId": "openidtest",

      "DisplayName": "Open Id Test",

      "Type": "Confidential",

       "ClientSecret": "MyPassword",

      "EnableTokenEndpoint": true,

      "EnableAuthorizationEndpoint": false,

      "EnableLogoutEndpoint": true,

      "EnableUserInfoEndpoint": true,

      "AllowPasswordFlow": true,

      "AllowClientCredentialsFlow": false,

      "AllowAuthorizationCodeFlow": false,

      "AllowRefreshTokenFlow": false,

      "AllowImplicitFlow": false

}

 <font color=#0099ff size=4 face="黑体">}</font>

Configuring Certificates

配置证书

Windows / IIS

Several tools are available for generating a signing certificate on Windows and/or IIS, for example:

有几种工具可用于在Windows和/或IIS上生成签名证书，例如：

IIS Server Manager (offers limited control)

+ IIS服务器管理器_（提供有限的控制）_

1. Server Certificates

2. Create Self-Signed Certificate

PowerShell (offers full control)

+ PowerShell （提供完全控制）

1. `New-SelfSignedCertificate`, for example:


# See https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate

# <font color=#0099ff size=4 face="黑体">请参阅https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate</font> #





 <font color=#0099ff size=4 face="黑体"></font> 


New-SelfSignedCertificate `

 <font color=#0099ff size=4 face="黑体">New-SelfSignedCertificate`</font> 


    -Subject "connect.example.com" `

    -FriendlyName "Example.com Signing Certificate" `

    -CertStoreLocation "cert:\LocalMachine\My" `

    -KeySpec Signature `

    -KeyUsage DigitalSignature `

    -KeyUsageProperty Sign `

    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") `

    -KeyExportPolicy NonExportable `

    -KeyAlgorithm RSA `

    -KeyLength 4096 `

    -HashAlgorithm SHA256 `

    -NotAfter (Get-Date).AddDays(825) `

    -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"

This snippet must be run as admin. It generates a 4096-bit signing certificate, stores it in the machine store and returns the certificate's thumbprint, which you need in the OpenID Connect Settings recipe or when exporting the certficate through PowerShell. You should update this example according to your requirements!

此代码段必须以管理员身份运行。它会生成4096位签名证书，将其存储在计算机存储中并返回证书的指纹，您需要在OpenID Connect设置配方中或通过PowerShell导出证书时使用该指纹。 您应该根据您的要求更新此示例！

In multi-node environments consider creating the certificate with -KeyExportPolicy Exportable, then export the certificate (PFX) to a secure location, using the MMC Certificates Snap-In or PowerShell Export-PfxCertificate, and subsequently import the certificate on each node as non-exportable, which is the default when using Import-PfxCertificate. For example:

在多节点环境中，考虑使用-KeyExportPolicy Exportable创建证书，然后使用MMC证书管理单元或PowerShellExport-PfxCertificate将证书（PFX）导出到安全位置，然后在每个环境中导入证书节点为不可导出的，这是使用Import-PfxCertificate时的默认值。例如：


# See https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/export-pfxcertificate

# <font color=#0099ff size=4 face="黑体">请参阅https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/export-pfxcertificate</font> #


# Run this on the machine where the certificate was generated:

# <font color=#0099ff size=4 face="黑体">在生成证书的计算机上运行此命令：</font> #





 <font color=#0099ff size=4 face="黑体"></font> 


$mypwd = ConvertTo-SecureString -String "MySecretPassword123" -Force -AsPlainText

 <font color=#0099ff size=4 face="黑体">$ mypwd = ConvertTo-SecureString -String“MySecretPassword123”-Force -AsPlainText</font> 





 <font color=#0099ff size=4 face="黑体"></font> 


Export-PfxCertificate -FilePath C:\securelocation\connect.example.com.pfx cert:\localMachine\my\thumbprintfromnewselfsignedcertificate -Password $mypwd

 <font color=#0099ff size=4 face="黑体">Export-PfxCertificate -FilePath C：\\ securelocation \\ connect.example.com.pfx cert：\\ localMachine \\ my \\ thumbprintfromnewselfsignedcertificate -Password $ mypwd</font> 





 <font color=#0099ff size=4 face="黑体"></font> 


# See https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/import-pfxcertificate

# <font color=#0099ff size=4 face="黑体">请参阅https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/import-pfxcertificate</font> #


# Run this on the target node:

# <font color=#0099ff size=4 face="黑体">在目标节点上运行此命令：</font> #





 <font color=#0099ff size=4 face="黑体"></font> 


$mypwd = ConvertTo-SecureString -String "MySecretPassword123" -Force -AsPlainText

 <font color=#0099ff size=4 face="黑体">$ mypwd = ConvertTo-SecureString -String“MySecretPassword123”-Force -AsPlainText</font> 





 <font color=#0099ff size=4 face="黑体"></font> 


Import-PfxCertificate -FilePath C:\securelocation\connect.example.com.pfx cert:\localMachine\my -Password $mypwd

 <font color=#0099ff size=4 face="黑体">Import-PfxCertificate -FilePath C：\\ securelocation \\ connect.example.com.pfx cert：\\ localMachine \\ my -Password $ mypwd</font>

Important: In order for the OrchardCore.OpenId module to use the certificate's keys for signing, it requires Read access to the certificate in the store. This can be granted in various ways, for example:

重要说明：为了使OrchardCore.OpenId模块使用证书的密钥进行签名，它需要对存储中的证书进行“读取”访问。这可以通过各种方式授予，例如：

MMC.exe

+MMC.exe

1. Add Snap-In 'Certificates' for Computer Account

2. Right-Click relevant certificate and select All Tasks, Manage Private Keys

3. Add the relevant identity (e.g. IIS AppPool\PoolName)

4. Check Allow Read

WinHttpCertCfg.exe (grants Full Control)

+WinHttpCertCfg.exe（授予完全控制权）

1. For example: `winhttpcertcfg -g -c LOCAL_MACHINE\My -s connect.example.com -a AppPoolIdentityName` https://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx

Token Validation

令牌验证

Validates tokens issued by the Orchard OpenID server or by a remote server supporting JWT and OpenID Connect discovery.

验证Orchard OpenID服务器或支持JWT和OpenID Connect发现的远程服务器发出的令牌。

OIDC Client

OIDC客户

Authenticates users from an external OpenID Connect identity provider.

从外部OpenID Connect身份提供程序验证用户。

If the site allows to register new users, a local user is linked and the external login is linked.

如果站点允许注册新用户，则链接本地用户并链接外部登录。

If an "email" claim is received, and a local user is found, then the external login is linked to that account, after authenticating.

如果收到“电子邮件”声明，并且找到了本地用户，则在进行身份验证后，外部登录将链接到该帐户。

Configuration

组态

Configuration can be set through the OpenID Connect settings menu in the admin dashboard and also through a recipe step.

可以通过管理仪表板中的_OpenID Connect_设置菜单以及配方步骤设置配置。

Available settings are:

可用的设置是：

Display Name: Display name of the IdP. It is shown in the login form.

+显示名称：显示IdP的名称。它显示在登录表单中。

Authority: Authority to use when making OpenIdConnect calls.

+权限：进行OpenIdConnect调用时使用的权限。

ClientId: The client_id part of the query.

+ ClientId：查询的client_id部分。

CallbackPath: The request path within the application's base path where the user agent will be returned after sign out from the identity provider. See post_logout_redirect_uri from http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout

+ CallbackPath：应用程序基本路径中的请求路径，在从身份提供程序注销后将返回用户代理。请参阅http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout中的post_logout_redirect_uri

SignedOut CallbackPath: the callback endpoint dor signout. Defaults to /signout-callback-oidc.

+ SignedOut CallbackPath：回调端点dor signout。默认为/ signout-callback-oidc。

SignedOut Redirect Uri: The uri where the user agent will be redirected to after application is signed out from the identity provider. The redirect will happen after the SignedOutCallbackPath is invoked.

+ SignedOut Redirect Uri：应用程序从身份提供程序注销后将用户代理重定向到的uri。重定向将在调用SignedOutCallbackPath之后发生。

Scopes: Extra scopes except openid and profile

+范围：除openid和profile之外的其他范围

Response Mode: Configure Response Mode see: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse. If fragment or query only Code Authentication Flow is allowed.

+响应模式：配置响应模式请参阅：http：//openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse。如果允许片段或查询仅代码验证流程。

Supported Flows: Select on of the OIDC flows

+支持的流程：选择OIDC流程

Code Authentication Flow (see: http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)

+代码验证流程（请参阅：http：//openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth）

Hybrid Authentication Flow (see: http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest)

+混合身份验证流程（请参阅：http：//openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest）

+ Use 'code id_token' response type (example: http://openid.net/specs/openid-connect-core-1_0.html#code-id_token-tokenExample)

+ Use 'code id_token token' response type (example: http://openid.net/specs/openid-connect-core-1_0.html#code-id_token-tokenExample)

+ Use 'code token' response type (example: http://openid.net/specs/openid-connect-core-1_0.html#code-tokenExample)

Implicit Authentication Flow (see: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest)

+隐式认证流程（参见：http：//openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest）

+ Use 'id_token' response type (example: http://openid.net/specs/openid-connect-core-1_0.html#id_tokenExample)

+ Use 'id_token token' response type (example: http://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample)

Client Secret: It is used with one of the 'confidential' flows, code or hybrid

+客户端密钥：它与“机密”流程，代码或混合使用

A sample of OpenID Connect Client Settings recipe step:

OpenID Connect客户端设置配方步骤示例：


{

 <font color=#0099ff size=4 face="黑体">{</font> 


      "name": "OpenIdClientSettings",

      "Authority": "http://localhost:44300/t1",

      "DisplayName": "Orchard (t1) IdP",

      "ClientId": "orchard_t2", 

      "CallbackPath": "/signin-oidc",

      "SignedOutCallbackPath": "/signout-callback-oidc",

      "Scopes": "email phone",

      "ResponseMode": "form_post",

      "ResponseType": "code id_token"

      "ClientSecret": "secret"

}

 <font color=#0099ff size=4 face="黑体">}</font>

CREDITS

学分

OpenIddict

https://github.com/openiddict

License under Apache License 2.0

Apache License 2.0下的许可