ASP.Net Identity和IdentityServer4声明 [英] ASP.Net Identity and IdentityServer4 Claims
问题描述
我正在使用IdentityServer4作为OIDC提供程序和ASP.NET Core 2.0.
I'm using IdentityServer4 as an OIDC provider and ASP.NET Core 2.0.
我已经浏览了几篇文章,以确保IdentityServer发出的声明最终出现在ClaimsPrincipal(即Auth Cookie)中,并设法通过ClaimsAction过滤来使它工作.
I have gone through several posts to ensure that the claims issued by IdentityServer end up in the ClaimsPrincipal (ie Auth Cookie), and have managed to get this working with ClaimsAction filtering.
但是我的问题是... 当使用ASP.NET身份(和EF后备存储)运行IdentityServer时,如何将ASP.NET身份属性映射到IDS4返回的声明.默认情况下,IDS4返回诸如...的声明.
However my question is this ... When running IdentityServer with the ASP.NET Identity (and EF backing store), how do the ASP.NET Identity properties get mapped to the claims returned by IDS4. By default, IDS4 returns claims like ...
- "sub":来自IdentityUser.Id
- 名称":来自IdentityUser.UserName
- "preferred_username":来自IdentityUser.UserName
- 电子邮件":来自IdentityUser.Email
- "email_verified":来自IdentityUser.EmailConfirmed
我问这个的原因是我想映射
The reason I ask this, is that I would like to map
- 给定名称":来自IdentityUser.FirstName(扩展属性)
- 家庭名称":来自IdentityUser.LastName(扩展属性)
因为在请求PROFILE范围时,默认情况下IDS4似乎没有执行此操作.
as IDS4 does not appear to do this by default when requesting the PROFILE scope.
此外,我想问一下存储用户属性的最佳实践.使用ASP.NET Identity DB时,将创建两个表...
In addition, I would like to ask what would be best-practice for storing user properties. When using the ASP.NET Identity DB, two tables are created ...
- AspNetUsers
- AspNetUserClaims
因此,最好的做法是将其他用户属性添加为...
So would it be best practice to add additional user properties as ...
- IdentityUser的属性(作为新字段添加到AspNetUsers中)或...
- AspNetUserClaims中的其他声明(可以在注册或登录时使用UserManager.AddClaimAsync()添加这些声明 )
推荐答案
如何将用户属性映射到声明
当您回答您自己时,应该以编程方式映射扩展属性.
How to map user-properties to claims
As you answered yourself, the extended property should be mapped programmatically.
- 如果要向
AspNetUsers
表中添加列,请扩展IdentityUser
类(例如public class MyApplicationUser : IdentityUser
),然后添加自定义属性(例如FirstName
).这实质上改变了模型.为了确保EF将模型更改写入数据库表,您需要用新的MyApplicationUser
类扩展IdentityDbContext
类.- 如果要将用户的自定义声明(例如
hair_color
)添加到AspNetUserClaims
表中,则需要调用userManager.AddClaimAsync()
.您可以在注册过程或登录过程中使用表单中的数据,或从外部身份验证提供商(例如Google,Facebook,Twitter等)收到的声明中进行此操作.
- If you want to add columns to the
AspNetUsers
table, you extend theIdentityUser
class (e.g.public class MyApplicationUser : IdentityUser
), then add your custom properties (egFirstName
). This essentially changes the model. To ensure that EF writes your model changes to the DB table, you need to extend theIdentityDbContext
class with your newMyApplicationUser
class.- If you want custom claims for the user (e.g.
hair_color
) to be added to theAspNetUserClaims
table, you need to calluserManager.AddClaimAsync()
. You could do this during the registration process or login process with data from the form, or from claims received from external auth providers such as Google, Facebook, Twitter etc.
但是,正如您在我对其他问题的回答中所读到的那样,我认为您不应映射它们,而应立即对其进行声明.
But, as you can read in my answer to your additional question, I think you should not map them, but make them claims right away.
我发现您的另一个问题更有趣:要添加到AspNetUsers
的哪些属性以及何时添加到AspNetUserClaims
的属性?
I found your additional question more interesting: what properties to add to AspNetUsers
and when to AspNetUserClaims
?
讨论,我可能会说,主要考虑因素是:
After some discussion, I would probably say, that the main consideration would be:
- 以ASP.NET身份作为用户数据主要来源的属性,应强类型化数据库列(通常在
AspNetUsers
中),并在创建主体时传播到声明(必要时). - 从另一个来源导入和更新的属性可以立即传播到数据库(
AspNetUsersClaims
)中的声明中.
- Properties for which ASP.NET Identity is your primary source of user data should be strongly typed database columns (typically in
AspNetUsers
) and propagated to claims (when necessary) when creating the principal. - Properties imported and updated from another source can be propagated to claims in the DB (
AspNetUsersClaims
) right away.
示例:
- 如果
hair_color
是用户在此标识界面中输入和更改的属性,则将其存储在强类型数据库列中. - 如果
hair_color
是在另一个应用程序中维护并从那里更新的属性,我会将其作为记录存储在Claims表中.
- if
hair_color
is a property entered and changed by the user in this identity-interface, you store it in a strongly typed database column. - if
hair_color
is a property maintained in another application and updated from there, I would store it as a record in the claims-table.
在编写原始答案时(如下),我是从另一个(主要)源间接更新要共享的用户数据,但对于身份验证详细信息,ASP.NET Identity是主要来源.因此,它导致了相同的分布,但原因有所不同.
据我了解,经验法则是:
As I understand it, the rule of thumb is:
- (仅)旨在与其他应用程序(用户信息)共享的数据应被保护为身份资源,因此在
AspNetUsersClaims
中声明.
功能上用于认证的 - 数据(authentication-info)应该是用户(
AspNetUsers
)的一部分,因此用于以下各项的数据:标识,登录,还原,2事实等(例如用户名,密码,电子邮件) ,电话)
- data that is (only) meant for sharing with other applications (user-info), should be protected identity resources, hence claims in
AspNetUsersClaims
. - data that is functionally used for authentication (authentication-info) should be part of the user (
AspNetUsers
), so data for: identification, login, restore, 2-fact, etc. (e.g. username, password, email, phone)
示例:
- 如果要添加
DateOfBirth
,请将其添加到AspNetUsersClaims
(除非您打算以某种方式使用它进行身份验证/登录) - 如果要存储与
accountExpiresDate
或CreatedFromIP
之类的帐户/登录相关的数据,请将其添加到AspNetUsers
(并扩展IdentityUser
)
- if you want to add a
DateOfBirth
I would add it toAspNetUsersClaims
(unless you intend to use it for authentication/login somehow) - if you want to store account/login-related data like
accountExpiresDate
orCreatedFromIP
you add it toAspNetUsers
(and extendIdentityUser
)
因此,如果您使用UserClaimsPrincipalFactory
将用户属性添加到用户声明中,则可能只是将该属性添加到了错误的表中!
So if you use a UserClaimsPrincipalFactory
to add a user-property to your user-claims, you may just be adding the property to the wrong table!
当我自己对此感到疑惑时,我实际上找到了你的问题.我开始使用上述经验法则,但是这个问题不断出现,因为许多示例未遵循该法则.
例如. Microsoft有一个示例,建议添加 profile
范围:birthdate, name, family_name, given_name, middle_name, nickname, preferred_username
.
I actually found your question, while wondering about this myself, yet again. I started using the above rule of thumb, but the question kept coming up, because a lot of examples don't follow this rule.
E.g. Microsoft has an example suggesting to add Name and DOB, which seems to contradict this.
However, OpenID already defines these properties (a.o.) as standard claims in the optional profile
scope: birthdate, name, family_name, given_name, middle_name, nickname, preferred_username
.
这篇关于ASP.Net Identity和IdentityServer4声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!