ASP.NET Core身份和身份服务器4-[角色，声明和IdentityResources] [英] ASP.NET Core Identity and Identity Server 4 - [Roles, Claims and IdentityResources]

问题描述

在将IdentityServer 4与ASP.NET Identity集成时，我想请您澄清一下.

I would like to ask you for clarification when integrating IdentityServer 4 with ASP.NET Identity.

我正在使用两个数据库上下文. Microsoft.AspNetCore.Identity.EntityFrameworkCore.IdentityDbContext<IdentityUser>和IdentityServer4.EntityFramework.DbContexts.ConfigurationDbContext.

I am working with two database contexts. Microsoft.AspNetCore.Identity.EntityFrameworkCore.IdentityDbContext<IdentityUser> and IdentityServer4.EntityFramework.DbContexts.ConfigurationDbContext.

Identity Server 4正在使用AspNetIdentity .AddAspNetIdentity<IdentityUser>().

Identity Server 4 is using AspNetIdentity .AddAspNetIdentity<IdentityUser>().

所以IdentityUser已经分配了IdentityUserClaims，并且在成功通过身份验证后，它会正确反映在JWT令牌中.

So IdentityUser has assigned IdentityUserClaims and it's properly reflected in JWT token after successfull authentication.

现在的问题是，IdentityServer4 ConfigurationDbContext中的IdentityResource和IdentityClaim:UserClaim是什么?由于现在从aspnet身份使用声明，因此完全不使用该实体.我说的对吗?

Question now is, what is with the IdentityResource and IdentityClaim:UserClaim from IdentityServer4 ConfigurationDbContext? As claims are now used from aspnet identities, this entity is not used at all. Am I right?

另一个问题是，ApiScopeClaims现在在游戏中如何?由于ApiScope为其颁发了令牌，因此它们仍由Identity Server使用.正确的?但是现在，我要保持来自不同数据库上下文的ApiScopeClaim和IdentityUserClaim同步.

Another question is how ApiScopeClaims are now in game? They are still used by the Identity Server because of ApiScope for which token is issued for. Right? But now it's up to me to keep in sync ApiScopeClaim and IdentityUserClaim which are from different db contexts.

最后一个问题是关于与IdentityUserClaims不同的IdentityRoles和IdentityRoleClaims.背后的想法是什么?在我看来，角色是针对特定业务角色的声明分组，以便于管理，因此角色不应定义新声明，而应定义IdentityUserClaims的引用集.另外，我创建了分配给用户的角色，分配给范围和结果的对应声明类型是-分配给角色和用户具有此角色的声明不包含在JWT中.为什么?

Last Question is regarding IdentityRoles and IdentityRoleClaims which are not the same as IdentityUserClaims. What's the idea behind? In my idea, role is grouping of claims for specific business role for easier management, therefore role should not define new claims but reference set of IdentityUserClaims. Additionaly, I created role, assigned to user, corresponding claim types assigned to scope and result is that - claims which are assigned to role and user has this role are not included in JWT. Why?

谢谢您的回答.

推荐答案

IdentityResource是声明的类别或分组.每个IdentityResource可以具有许多IdentityClaims，这些引用实际上是对AspNetUserClaims中所拥有的权利要求的引用.内置的IdentityResources是openid和个人资料.

IdentityResource is a category or grouping of claims. Each IdentityResource can have many IdentityClaims which are references to actual the claims held in AspNetUserClaims. The built in IdentityResources are openid and profile.

ApiScopeClaims是Api资源(与上述身份资源相对)的层次结构的一部分.

ApiScopeClaims are part of the hierarchy of Api Resources (as opposed to the identity resources mentioned above.)

ApiResource --has many--> ApiScopes --has many--> ApiScopeClaims.

当用户向ApiScopeClaim请求时，将声明类型添加到ApiScopeClaim会将AspNetUserClaim(如果存在)附加到access_token.

Adding a claim type to an ApiScopeClaim will attach an AspNetUserClaim (if one exists) to the access_token when when the User makes a request to that ApiScope.

IdentityRoleClaim(即AspNetRoleClaim)只是有关特定角色的一些信息；它与用户无关，而与角色本身有关.

An IdentityRoleClaim (i.e. AspNetRoleClaim) is just a bit a information you can tack on regarding a particular role; it does not related to a User, but just to the role itself.

听起来像您想要为索赔的逻辑分组创建IdentityResource，然后在IdentityClaims中定义那些索赔类型.但是，您将需要一种方法来首先找出用户的角色，以便在scope参数中请求相应的IdentityResource.或实现IdentityServer接口之一(如IProfileService)以在IdentityServer实例上进行此类工作.

Sound like you want to create an IdentityResource for your logical grouping of claims, and then define those claim types in IdentityClaims. But you would need a way to first find out the user's role in order to request the appropriate IdentityResource in scope parameter. Or implement one of the IdentityServer interfaces like IProfileService to do this kind of work on the IdentityServer instance.

这篇关于ASP.NET Core身份和身份服务器4-[角色，声明和IdentityResources]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！