在Identityserver4和自定义AuthorizationHandler User.Identity.isAuthenticated = false上使用客户端凭据流 [英] Using Client Credentials flow on identityserver4 and custom AuthorizationHandler User.Identity.isAuthenticated = false

问题描述

我正在使用身份服务器4，我创建了一个受client_credentials保护的客户端

Hi i am using identity server 4 and i created a client which is protected using client_credentials

我能够使用clientid和secret来检索令牌，并且根据jwt.io，访问令牌的到期时间为3600秒或(1小时)

I am able to retrieve a token using the clientid and secret, and according to jwt.io the expiry of the access token is 3600 seconds or (1 hour)

在网络核心2.2 api上，我有一个自定义AuthorizationHandler

on the net core 2.2 api i have a custom AuthorizationHandler

protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ClientCredentialRequirement requirement)
        {

            if (requirement.AllowedClients != null && requirement.AllowedClients.Any()) {

                if (context.User.Identity.IsAuthenticated) { // this is false
                     context.Succeed(requirement);
                            return Task.CompletedTask;
                } 

使用客户端凭据时，该返回false吗?我一直期望它是真实的，因为令牌是有效的

should this return false when using client credentials? i was expecting it to be true since the token is valid

推荐答案

所以我明白了.

事实证明，该应用程序是功能齐全的"idserver"加上已经配置了cookie身份验证的"mvc网站"，这导致了我的问题.

Turns out that the fact that the app is a fully functioning "idserver" plus "mvc web site" already configured with cookie authentication was causing me issues.

对api的请求没有声明，因为未使用Bearer身份验证方案来处理该请求.

The requests to the api had no claims because the Bearer authentication scheme wasn't being used to handle the request.

我必须将其添加到api控制器中才能正常工作.

I had to add this to the api controller for it to work as expected.

[Authorize(AuthenticationSchemes = "Bearer")]
public class MixedController : Controller

详细此处

现在，即使使用客户端凭据，User.Identity声明也将使用令牌中的声明和范围进行填充，并且User显示为Authenticated = true

now even when using client credentials the User.Identity claims are now populated with the claims and scopes from the token, and the User is shown as Authenticated = true

这篇关于在Identityserver4和自定义AuthorizationHandler User.Identity.isAuthenticated = false上使用客户端凭据流的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！