gRPC-通过依赖注入使用Blazor Webassembly进行Web通道身份验证
我正在Blazor Webassembly中使用身份验证测试gRPC-Web,在如何干净地访问我的gRPC通道方面遇到了一点障碍。
无需身份验证,就有一种非常简单和干净的方法,就像grpc-dotnet https://github.com/grpc/grpc-dotnet/tree/master/examples/Blazor的Blazor示例中详细描述的那样。
通道的提供:
builder.Services.AddSingleton(services =>
{
// Get the service address from appsettings.json
var config = services.GetRequiredService<IConfiguration>();
var backendUrl = config["BackendUrl"];
var httpClient = new HttpClient(new GrpcWebHandler(GrpcWebMode.GrpcWebText, new HttpClientHandler()));
var channel = GrpcChannel.ForAddress(backendUrl, new GrpcChannelOptions { HttpClient = httpClient });
return channel;
});Razor文件中的用法
@inject GrpcChannel Channel直接在razor文件中添加身份验证并在其中创建通道也不是很复杂
@inject IAccessTokenProvider AuthenticationService
...
@code {
...
var httpClient = new HttpClient(new GrpcWebHandler(GrpcWebMode.GrpcWebText, new HttpClientHandler()));
var tokenResult = await AuthenticationService.RequestAccessToken();
if (tokenResult.TryGetToken(out var token))
{
var _token = token.Value;
var credentials = CallCredentials.FromInterceptor((context, metadata) =>
{
if (!string.IsNullOrEmpty(_token))
{
metadata.Add("Authorization", $"Bearer {_token}");
}
return Task.CompletedTask;
});
//SslCredentials is used here because this channel is using TLS.
//Channels that aren't using TLS should use ChannelCredentials.Insecure instead.
var channel = GrpcChannel.ForAddress(baseUri, new GrpcChannelOptions
{
Credentials = ChannelCredentials.Create(new SslCredentials(), credentials)
});但这会将大量所需的逻辑转移到剃刀文件中。有没有办法将它们结合起来,并通过注入提供一个经过身份验证的grpc通道?
回答 6
Stack Overflow用户
发布于 2020-04-20 05:31:36
经过大量额外的测试,我找到了一个解决方案。虽然不是完美的,但到目前为止它工作得很好。
启动过程中通道的注册
builder.Services.AddSingleton(async services =>
{
var httpClient = new HttpClient(new GrpcWebHandler(GrpcWebMode.GrpcWeb, new HttpClientHandler()));
var baseUri = "serviceUri";
var authenticationService = services.GetRequiredService<IAccessTokenProvider>();
var tokenResult = await authenticationService.RequestAccessToken();
if(tokenResult.TryGetToken(out var token)) {
var credentials = CallCredentials.FromInterceptor((context, metadata) =>
{
if (!string.IsNullOrEmpty(token.Value))
{
metadata.Add("Authorization", $"Bearer {token.Value}");
}
return Task.CompletedTask;
});
var channel = GrpcChannel.ForAddress(baseUri, new GrpcChannelOptions { HttpClient = httpClient, Credentials = ChannelCredentials.Create(new SslCredentials(), credentials) });
return channel;
}
return GrpcChannel.ForAddress(baseUri, new GrpcChannelOptions() { HttpClient = httpClient });
});由于通道是使用异步注册的,因此必须将其作为任务注入
@inject Task<GrpcChannel> ChannelStack Overflow用户
发布于 2020-07-13 07:08:07
我基于微软在.NET Core3.2中托管的Blazor WebAssembly项目的新项目模板解决了这个问题。我从BaseAddressAuthorizationMessageHandler复制了代码,但注释掉了令牌不可用时抛出的异常,并将其添加到Program.cs中的HttpClient中:
Program.cs
builder.Services.AddHttpClient("SampleProject.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler<GrpcWebHandler>()
.AddHttpMessageHandler<GrpcAuthorizationMessageHandler>();
builder.Services.AddSingleton(services =>
{
// Create a gRPC-Web channel pointing to the backend server
var httpClient = services.GetRequiredService<HttpClient>();
var baseUri = services.GetRequiredService<NavigationManager>().BaseUri;
var channel = GrpcChannel.ForAddress(baseUri, new GrpcChannelOptions { HttpClient = httpClient });
// Now we can instantiate gRPC clients for this channel
return new Products.ProductsClient(channel);
});GrpcAuthorizationMessageHandler.cs ():
public class GrpcAuthorizationMessageHandler : DelegatingHandler
{
private readonly IAccessTokenProvider _provider;
private readonly NavigationManager _navigation;
private AccessToken _lastToken;
private AuthenticationHeaderValue _cachedHeader;
private Uri[] _authorizedUris;
private AccessTokenRequestOptions _tokenOptions;
public GrpcAuthorizationMessageHandler(
IAccessTokenProvider provider,
NavigationManager navigation)
{
_provider = provider;
_navigation = navigation;
ConfigureHandler(new[] { _navigation.BaseUri });
}
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var now = DateTimeOffset.Now;
if (_authorizedUris == null)
{
throw new InvalidOperationException($"The '{nameof(AuthorizationMessageHandler)}' is not configured. " +
$"Call '{nameof(AuthorizationMessageHandler.ConfigureHandler)}' and provide a list of endpoint urls to attach the token to.");
}
if (_authorizedUris.Any(uri => uri.IsBaseOf(request.RequestUri)))
{
if (_lastToken == null || now >= _lastToken.Expires.AddMinutes(-5))
{
var tokenResult = _tokenOptions != null ?
await _provider.RequestAccessToken(_tokenOptions) :
await _provider.RequestAccessToken();
if (tokenResult.TryGetToken(out var token))
{
_lastToken = token;
_cachedHeader = new AuthenticationHeaderValue("Bearer", _lastToken.Value);
}
// this exception was commented out to be used with the GrpcWebHandler
// else
// {
// throw new AccessTokenNotAvailableException(_navigation, tokenResult, _tokenOptions?.Scopes);
// }
}
// We don't try to handle 401s and retry the request with a new token automatically since that would mean we need to copy the request
// headers and buffer the body and we expect that the user instead handles the 401s. (Also, we can't really handle all 401s as we might
// not be able to provision a token without user interaction).
request.Headers.Authorization = _cachedHeader;
}
return await base.SendAsync(request, cancellationToken);
}
public GrpcAuthorizationMessageHandler ConfigureHandler(
IEnumerable<string> authorizedUrls,
IEnumerable<string> scopes = null,
string returnUrl = null)
{
if (_authorizedUris != null)
{
throw new InvalidOperationException("Handler already configured.");
}
if (authorizedUrls == null)
{
throw new ArgumentNullException(nameof(authorizedUrls));
}
var uris = authorizedUrls.Select(uri => new Uri(uri, UriKind.Absolute)).ToArray();
if (uris.Length == 0)
{
throw new ArgumentException("At least one URL must be configured.", nameof(authorizedUrls));
}
_authorizedUris = uris;
var scopesList = scopes?.ToArray();
if (scopesList != null || returnUrl != null)
{
_tokenOptions = new AccessTokenRequestOptions
{
Scopes = scopesList,
ReturnUrl = returnUrl
};
}
return this;
}
}这是它背后的基本原理。
根据Steve Sanderson的this blog post,您只需将GrpcWebHandler添加到HttpClient即可使用GrpcWeb。但是,如果您尝试将BaseAddressAuthorizationMessageHandler与GrpcWebHandler一起使用,那么当用户未通过身份验证时,您将得到一个抛出StatusCode=Internal的RpcException。
查看代码后,我发现异常的原因是授权处理程序在令牌不可用时抛出异常,GrpcWebHandler将其捕获为内部异常。如果您添加了一个不抛出该异常的自定义消息处理程序,则GrpcWebHandler将抛出带有StatusCode=Unauthenticated的正确RcpException,然后您可以相应地进行处理,例如,通过重定向到登录页面。
这是一个示例,展示了如何在剃刀页面中使用GrpcClient,而无需添加额外的授权码:
@inject CustomClient grpcClient
@inject NavigationManager navManager
@code {
public async Task MakeRequest() {
var request = new Request();
try
{
var reply = await grpcClient.MakeRequestAsync(request);
}
catch (Grpc.Core.RpcException ex) when (ex.StatusCode == StatusCode.Unauthenticated)
{
NavigationManager.NavigateTo($"/authentication/login/?returnUrl={NavigationManager.BaseUri}your-page");
}
}
}Stack Overflow用户
发布于 2020-04-21 17:40:50
我试着在我的Blazor WASM应用程序中用来自https://github.com/grpc/grpc-dotnet/tree/master/examples#ticketer的JamesNK的'Ticketer‘示例代码做一些类似的事情,并且它工作了。
The ticketer展示了如何在ASP.NET核心中使用gRPC进行身份验证和授权。此示例具有一个标记为Authorize属性的gRPC方法。只有在服务器对该方法进行了身份验证,并通过gRPC调用传递有效的JWT令牌时,客户端才能调用该方法。
我在'Client/Shared/NavMenu.cs‘(OnInitializedAsync())中创建了一个令牌,并在对其他页面中的gRPC服务的调用中使用该令牌。
https://stackoverflow.com/questions/61146743
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号