IdentityServer4:为Client_Credential Granttype的客户端主体添加自定义默认声明 [英] IdentityServer4: Add Custom default Claim to Client Principal for Client_Credential Granttype

问题描述

我正在使用IdentityServer4，并且试图在创建令牌时向我的CLIENT添加自定义默认声明.如果我使用隐式流和如下所示的IProfileService，这是可能的.

I am using IdentityServer4 and I am trying to add a custom default claim to my CLIENT when the token is created. This is possible if i use the implicit flow and IProfileService like shown below.

public class MyProfileService : IProfileService
{
    public MyProfileService()
    {

    }
    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var claims = new List<Claim>
        {
            new Claim("DemoClaimType", "DemoClaimValue")
        };
        context.IssuedClaims = claims;
        return Task.FromResult(0);
    }
    public Task IsActiveAsync(IsActiveContext context)
    {
        context.IsActive = true;
        return Task.FromResult(0);
    }
}

在我的创业公司

services.AddIdentityServer()
            .AddProfileService<MyProfileService>()

但是，这对于具有client_credential授予类型的客户端不起作用，因为它似乎是cannot request OpenID scopes in client credentials flow.事实证明，Iprofileservice就像名称所暗示的那样适用于Identity资源，其中像profile一样的OpenId范围有效.因为无法请求具有client_credential授予类型GetProfileDataAsync的概要文件作用域，所以永远不会被调用.

However this does not work with my client with client_credential granttype since it seems cannot request OpenID scopes in client credentials flow. It turns out Iprofileservice like the name implies works for Identity Resources where the OpenId scopes like profile is valid. since am unable to request profile scopes with client_credential grant type GetProfileDataAsync never gets called.

由于仅与客户一起使用，没有用户，因此我需要一种将声明注入令牌的方法，而不必像下面那样将它们添加到客户端对象中

Since am working only with clients and no users I need a way to inject claims into the token without having to add them to the client object like below

    new Client
{
    ClientId = "myclient",
    ClientName = "My Client",
    AllowedGrantTypes = GrantTypes.ClientCredentials,
    ClientSecrets = {new Secret("secret".Sha256())},
    AllowedScopes = new List<string> {"api"},                    
    AllowOfflineAccess = true,

    //I Don't want to do this
    Claims = new List<Claim>
    {   
        new Claim("type","value")
    }
}

我不希望出现上述情况，因为我不希望该声明成为数据库中client_claims的一部分.我需要即时创建令牌请求.我希望我的问题现在已经清楚了.

I do not want the above because i do not want the the claim to be part of the client_claims in the database. I need to create it on the fly on token request. I hope my question is clearer now.

推荐答案

通过一些查询，我终于找到了解决方法.我需要一种在请求令牌时向客户端动态添加声明的方法.

With some inquiries I finally found out how to do this. I needed a way to add claims dynamically to the client when token was requested.

为此，我必须扩展ICustomTokenRequestValidator，然后通过完全依赖注入将我的类包含在Startup.cs中.

In order to do that I had to extend ICustomTokenRequestValidator and then include my class in Startup.cs thorough dependency injection

public class DefaultClientClaimsAdder : ICustomTokenRequestValidator
{
    public Task ValidateAsync(CustomTokenRequestValidationContext context)
    {
        context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
        context.Result.ValidatedRequest.ClientClaims.Add(new Claim("testtoken","testbody"))

        return Task.FromResult(0);
    }
}

在Startup.cs中配置服务

Configure services in Startup.cs

 services.AddTransient<ICustomTokenRequestValidator, DefaultClientClaimsAdder>();

这篇关于IdentityServer4:为Client_Credential Granttype的客户端主体添加自定义默认声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！