转换ASP.Net Core中的Open Id Connect声明 [英] Transforming Open Id Connect claims in ASP.Net Core

问题描述

我正在编写一个ASP.Net Core Web应用程序，并使用UseOpenIdConnectAuthentication将其连接到IdentityServer3.模拟他们的ASP.Net MVC 5示例，我试图转换从Identity Server收到的声明，以删除"肯定不需要的低级别协议声明.在MVC 5中，他们为SecurityTokenValidated Notification添加了一个处理程序，该处理程序将AuthenticationTicket换成仅具有必需声明的一个.

I'm writing an ASP.Net Core Web Application and using UseOpenIdConnectAuthentication to connect it to IdentityServer3. Emulating their ASP.Net MVC 5 sample I'm trying to transform the claims received back from Identity Server to remove the "low level protocol claims that are certainly not needed." In MVC 5 they add a handler for the SecurityTokenValidated Notification that swaps out the AuthenticationTicket for one with just the required claims.

在ASP.Net Core中，要进行等效操作，我认为我需要处理OpenIdConnectEvents中的OnTokenValidated.但是，在那个阶段似乎还没有检索到其他作用域信息.如果我处理OnUserInformationReceived，则会显示额外的信息，但会存储在用户而非主体上.

In ASP.Net Core, to do the equivalent, I thought that I would need to handle the OnTokenValidated in the OpenIdConnectEvents. However, at that stage it doesn't appear that the additional scope information has been retrieved. If I handle the OnUserInformationReceived, the extra information is present, but stored on the User rather than the principal.

似乎没有其他事件可以很明显地永久删除在身份验证完成后我不希望保留的声明.任何建议，我们将不胜感激！

None of the other events seem like the obvious place to permanently remove the claims I'm not interested in retaining after authentication has completed. Any suggestions gratefully received!

推荐答案

我喜欢LeastPrivilege提出的在过程中更早进行转换的建议.提供的代码不太有效.此版本可以:

I like LeastPrivilege's suggestion to transform earlier in the process. The code provided doesn't quite work. This version does:

var oidcOptions = new OpenIdConnectOptions
{
   ...

   Events = new OpenIdConnectEvents
   {
       OnTicketReceived = e =>
       {
          e.Principal = TransformClaims(e.Ticket.Principal);
          return Task.CompletedTask;
       }
   }
};

这代替了Principal而不是Ticket.您可以使用其他答案中的代码来创建新的Principal.您也可以同时替换Ticket，但是我不确定是否有必要.

This replaces the Principal rather than the Ticket. You can use the code from my other answer to create the new Principal. You can also replace the Ticket at the same time but I'm not sure it is necessary.

因此，感谢LeastPrivilege和Adem提出的方式几乎可以回答我的问题...只是代码需要稍作调整.总体而言，我更喜欢LeastPrivilege提出的提早转换版权主张的建议.

So thank you to LeastPrivilege and Adem for suggesting ways that pretty much answered my question... just the code needed slight adjustments. Overall, I prefer LeastPrivilege's suggestion of transforming claims early.

这篇关于转换ASP.Net Core中的Open Id Connect声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！