oidc-client-js无法从Identity Server 4中正确获取声明 [英] oidc-client-js is not getting claims correctly from Identity Server 4

问题描述

我有一个Identity Server 4的本地实例，我正在尝试遵循本指南以创建Javascript客户端.这使用了 oidc-client-js 库，而我使用的是登录弹出式方法，因此我的登录事件处理程序如下所示:

I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:

signin(e) {
    e.preventDefault();
    this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
        console.log("signed in", user.profile);
    }).catch(function(err) {
        console.log(err);
    });
} 

身份验证似乎可以正常工作-我已重定向到接受客户端请求，对我的登录进行身份验证并将我返回到客户端应用程序的Identity Server.但是，文档说上述代码中的user.profile对象应包含用户声明，但没有.这是我回到的use.profile

Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:

sub属性是刚刚通过身份验证的用户的正确ID.但是我的Identity Server还针对客户端请求的其他范围(profile和email)发出了声明，因此我应该看到诸如name，preferred_username，email等声明.我可以观察到在IS4中调试IProfileService实现时发出的这些声明.此外，如果我使用与用户对象一起返回的access_token来向本地运行的另一个API(ASP.NET Web API)发出请求，我的确会在this.User.Claims中看到这些声明:

The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:

那么如何在我的Javascript代码中掌握这些主张?

So how can I get hold of these claims in my Javascript code?

推荐答案

这些用户声明可能在ID令牌内.要使此工作正常进行，请检查IDP提供程序的客户端配置中是否包含AlwaysIncludeUserClaimsInIdToken = true，例如

Those user claims are likely coming inside the ID Token. To make this work, check if you've got AlwaysIncludeUserClaimsInIdToken = true in your IDP Provider's Client configuration, like

        public static IEnumerable<Client> GetClients()
    {
        return new List<Client>()
        {
            new Client()
            {
                ClientName = "IDP Client",
                ClientId = "client",
                ClientSecrets = { new Secret("secret".Sha256()) },
                AllowedGrantTypes =  GrantTypes.Hybrid,
                RedirectUris = new List<string>()
                {
                    "http://localhost:60811/signin-oidc"
                },
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "myapi"
                },
                AlwaysIncludeUserClaimsInIdToken = true,
                AllowOfflineAccess = true
            },

这篇关于oidc-client-js无法从Identity Server 4中正确获取声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！