1. UnitTest async method Example

    [TestClass]
    public class UnitTest1
    {
        [TestMethod]
        public void Test()
        {
            Task.Run(async () => { await ClientCredentials_Test(); }).GetAwaiter().GetResult();
        }

        public async Task ClientCredentials_Test()
        {
            // call api
            var client = new HttpClient();
            var response = await client.GetAsync("http://localhost:53560/values");
            //Assert.IsTrue(response.IsSuccessStatusCode);   this will not pass
            var content = await response.Content.ReadAsStringAsync();
            Console.WriteLine(content);
            // DiscoveryClient need reference to nuget package [IdentityModel]
            // request token
            var disco = await DiscoveryClient.GetAsync("http://localhost:53560");
            var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
            var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api1");

            Assert.IsFalse(tokenResponse.IsError);
            Console.WriteLine(tokenResponse.Json);

            // call api
            client = new HttpClient();
            client.SetBearerToken(tokenResponse.AccessToken);
            response = await client.GetAsync("http://localhost:53560/values");
            Assert.IsTrue(response.IsSuccessStatusCode);
            content = await response.Content.ReadAsStringAsync();
            Console.WriteLine(content);
        }
    }

2. Click Here 查看 Identity Server 4 with ASP.NET Core 2.0 的一个教程

术语定义【IdentityServer 是对 OAuth2 and OpenID 的一种实现】

• User: Person using a Client and the owner of Protected Resource 使用客户端访问限制资源的用户
• Client: The application that needs access to Protected Resource 需要访问限制资源的程序
• Protected Resource: The resource being protected from unauthorised access (e.g. Web API) 限制访问的资源，例如 Web api 等
• Server: Server that authorizes User and returns Access Tokens 提供用户验证和授权的服务器
• Access Token: A secret key used to access Protected Resource 用来访问限制资源的密钥
• Scopes: Values based on which access to Protected Resource features is limited 用来限制用户可以获取的资源范围【You can think about scopes as intent of the client, for example: The Client ask you to use your resource owner to grant me access to your openid scopes > given_name, email & prefered_username and your OAuth2 scope > WebApi.】
• Redirect URI: Location where User returns after Auth. Server completes authorization 验证服务器完成授权后重定向到的位置
• Client ID: Client’s identifier registered with the Auth. Server 客户端注册的id
• Client Secret: Client’s secret registered with the Auth. Server. This must be kept confidential 客户端注册的密钥
  关于这方面的内容可以参考视频课程
• Building and Securing a RESTful API for Multiple Clients in ASP.NET
• OAuth2 and OpenID Connect Strategies for AngularJS and ASP.NET

3. Oauth2 Flows

这篇文章讲的比较好，参考下

• Authorization Code Flow 此模式类似于平常网站看到的授权使用QQ、微信等登录方式
  
  1_ULF38OTiNJNQZ4lHQZqRwQ.png
  
  A client application ：
  (a) makes an authorization request to an authorization endpoint,
  (b) receives a short-lived authorization code,
  (c) makes a token request to a token endpoint with the authorization code, and
  (d) gets an access token.

(a) User accesses the Client.
(b) User is redirected to Auth. Server.
(c) User provides username/password.
(d) User is redirected back to Client with a code.

Note: Code is exposed to the user.

(e) Client accesses the Auth. Server to exchange the code with an Access Token.

Note: Access Token is not exposed to the user.

(f) Client access the Protected Resource using the Access Token.

• Implicit Flow 与上面类似，只不过没有了获取 authorization code 的步骤
  
  1__7h6INaOWSvRVzDKK5x9Zw.png
  
  A client application ：
  (a) makes an authorization request to an authorization endpoint and
  (b) gets an access token directly from the authorization endpoint.

(a) User accesses the Client.
(b) User is redirected to Auth. Server.
(c) User provides username/password.
(d) User is redirected back to Client with an Access Token.

Note: Access Token is exposed to the user.

(e) Client access the Protected Resource using the Access Token.

• Resource Owner Password Credentials Flow 直接在客户端输入用户名和密码，然后用用户名和密码去第三方服务器做验证，获取 access token
  
  1_UqiPF3HCsBU5IgCj1xV9dQ.png
  
  A client application ：
  (a) makes a token request to a token endpoint and
  (b) gets an access token. In this flow, a client application accepts a user's ID and password although the primary purpose of OAuth 2.0 is to give limited permissions to a client application WITHOUT revealing the user's credentials to the client application.

(a) User accesses the Client and provides username/password.

Note: username/password is exposed to the Client.

(b) Client accesses the Auth. Server to exchange username/password with an Access Token.
(c) Client accesses the Protected Resource using the Access Token.

• Client Credentials Flow 这个模式校验客户端，每个客户端有一个私有的id和secret，利用它们来获取 access token 再进行后续资源访问
  

  1_h5J_bXpLtqNg9zQ5JenIOQ.png
  
  A client application ：
  (a) makes a token request to a token endpoint and
  (b) gets an access token. In this flow, user authentication is not performed and client application authentication only is performed.

• Refresh Token Flow 在之前authorization request阶段会同时获取到 access token 和一个 refresh token，这里就可以利用 refresh token 重新获取一个 access token
  

  1_g2b5fpKje2piDKI4ZkW-4w.png
  
  A client application ：
  (a) presents a refresh token to a token endpoint and
  (b) gets a new access token.

4. github code

• CLICK HERE
• 运行测试
  进入目录【Fiver.Security.AuthServer】，运行 dotnet run
  
  
  进入目录【Fiver.Security.AuthServer.Api】，运行 dotnet run
  
  20180729121719.png
  
  然后在 Visual Studio 中 debug 运行项目【Fiver.Security.AuthServer.Client】即可
  
  20180729121849.png