As long as you contribute, no matter how big or small, everyone is the brightest star of this era!
A community organization led by open source projects.
The BCVP framework is based on:
ASP.NETCore5.0+VUE.js+IdentityServer4 and other core technologies, realize the integration platform of front-end and back-end separation and dynamic authentication. It has been officially in operation for two years and is a very mature framework. But there has always been a small core problem in the middle, I have never had the opportunity to confirm it, and today I finally have the opportunity to verify it, here I am grateful to @wuare老铁 for providing technical support-back-end service packet capture and service agreement analysis.
Let me briefly talk about the background of the story:
Regarding the authentication and authorization process, which is the process of the OAuth2.0 protocol, when our client (Vue) initiates a request to the resource server (core), it first determines whether the Token is valid. If it is empty or invalid, it will directly reject it with 401. If normal, it would initiate verification request to the authentication center (ids4) , after the adoption, the rest is a normal visit.
So here comes the question:
Q&A:
1. The green verification request above is requested every time?
2. What is the requested interface and returned content?
3. If I close the certification center, can the access continue normally?
I don’t know if you have these questions. If you have an accurate answer, welcome to point out the problems in this article; if you are not clear, this article will just help you understand it.
After all, it is a request between the backends initiated by the resource server to the authentication center, so a packet capture tool is needed to view the specific content. Wireshark is recommended here, and the network administrator will use wireshark to check network problems.
The installation process is very simple. I will ignore it here. There is one thing to note. If you want to debug the local localhost access request, you need to install another tool—NMap, which is used with WireShark.
After the installation is complete, you can see the main interface is like this:
It is mainly divided into three parts: filter, request area, and 5-layer sequential result area.
How to verify the question at the beginning of our article, don't worry, before verifying, let's review the computer network related knowledge.
Computer Network Hierarchical Foundation
Computer network request, classic five-layer structure model:
Let’s elaborate on what it does each time:
What we see now is that the application layer is subdivided on the previous five-layer structure, and the final seven-layer model is split. Finally, we come to a detailed diagram to illustrate the situation of each layer:
Do you have to shout at this time to show that you don't understand it, it doesn't matter! You only need to know the names of the five layers and what each layer does.
Access an Http request casually, use WireShark to view the specific access process, you can clearly see the five-layer structure and execution sequence:
However, it is still recommended to focus on understanding the lower transport layer and network layer, not the application layer, because our daily work is the application layer.
If you don't understand the transport layer, you must all know the TCP three-way handshake, it happened at the transport layer, because it can be seen from the word: Transmission Control Protocol.
Well, let's come to see the process of the three-way handshake, how to reflect .
TCP three-way handshake process
We can send a request through PostMan. Please try to request a request that has not established a link recently, such as my http://tibug.neters.club.
Then in WireShark, you can see the request process, you can do a filter, otherwise there are too many:
We simply analyze the next three-way handshake process:
For the first handshake data packet, the client sends a TCP, the flag bit is SYN, and the sequence number is 0, which means that the client requests to establish a connection.
The data packet server of the second handshake sends back an acknowledgement packet with the flag bits being SYN and ACK. Set the Acknowledgement Number to the customer’s ISN plus 1, that is, 0+1=1
The data packet client of the third handshake sends an acknowledgement packet (ACK) again. The SYN flag is 0 and the ACK flag is 1. And put the sequence number field of the ACK sent by the server +1, put it in the confirm field and send it to the other party.
Does the overall look clear and clear!
With network knowledge and tool blessing, now we can start to study the questions raised at the beginning of the article !
The resource server initiates the request "for the first time"
In the title, I emphasized the first time. Is it the first time? Just to verify:
First, open the Ids4 authentication mode in the Blog.Core project:
Then run two projects separately, first get the Token, and then send a request to get the menu interface. The result of the first request is like this. You can write http in the filter to make a filter:
The overall process is very simple, first request the resource service, then call the certification center, initiate two interfaces, the results are:
1、/.well-known/openid-configuration
2、/.well-known/openid-configuration/jwks
These results are stored in the memory of the resource server for later call. If you want to see the specific structure and results, you can directly copy the returned results:
At this point, the first two questions in the article have been perfectly answered.
Start to verify the third question, just turn off the certification center service!
The resource server initiates the request "again"
You need to stop the authentication center service on the basis of the previous section, but do not restart the resource service. Use the previous token and replace it with a new interface /api/Permission/Get. Of course, you can not change it. Initiate a request:
Sure enough, the request can still be passed through, and authentication has not been initiated, it is directly obtained from the memory in the previous step, and the follow-up logic is performed.
At this point, the three problems at the beginning of the article have been perfectly solved. By the way, I have also learned about packet capture and computer network knowledge. Come on!
Microsoft's Most Valuable Expert is a global award granted by Microsoft to third-party technology professionals. For 27 years, technology community leaders around the world have won this award for sharing their expertise and experience in online and offline technology communities.
MVP is a rigorously selected team of experts. They represent the most skilled and intelligent people. They are experts who are passionate and helpful to the community. MVP is committed to helping others through speeches, forum questions and answers, creating websites, writing blogs, sharing videos, open source projects, organizing conferences, etc., and to help users in the Microsoft technology community use Microsoft technology to the greatest extent.
For more details, please visit the official website:
https://mvp.microsoft.com/zh-cn
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。