IdentityServer4如何访问用户电子邮件 [英] IdentityServer4 How to access user email
问题描述
我已经继承了一个现有项目,并且刚开始使用IdentityServer4,所以请多多包涵.
我正在通过GET请求获得令牌,如下所示:
然后,我们尝试使用响应提供的access_token来获取成员信息,并将其用作承载令牌.似乎可行,但是这是我坚持的部分:
在API内,以下代码返回代表登录用户的GUID,而不是电子邮件.
Claim cl = this.User.Claims.FirstOrDefault(x => x.Type == "sub");
我需要更改些什么才能允许子程序提供已登录用户的电子邮件?
我已经尝试将电子邮件或个人资料添加到上面的作用域中,该作用域仅在我的声明列表中产生名称为"scope"和值为"email"的条目.
编辑
似乎以某种方式生成令牌时需要更新范围.我在网上看到的所有示例都在内存设置中使用,这是从数据库中获取设置的地方.当我在te API上调用userinfo端点时,我也只能访问"sub",例如
{
"sub": "xx"
}
在IdentityServer方面,在Config类中,当您定义允许的作用域时,请确保它包含如下电子邮件:
...
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email
}
...
然后,在客户端的启动类上,您还希望将电子邮件也包括在范围内(在您的app.UseOpenIdConnectAuthentication方法中).
...
Scope = "openid profile email",
...
此时,当您在User.Identity.Claims中的客户端上逐步执行代码时,应该可以访问该电子邮件.
现在,如果要更进一步,并且在客户端应用程序(而不是Guid子目录)中将电子邮件用作"UserID",则可以将以下内容添加到应用程序.客户:
TokenValidationParameters = {
NameClaimType = "email"
}
I've inherited an existing project and I'm new to using IdentityServer4 so bear with me.
I'm getting a token with a GET request as follows:
Then we've tried retrieving the member information with the access_token provided by the response using it as a bearer token. Which seems to work, however here is the part I'm stuck on:
Inside the API the following code returns a GUID representing the logged in user instead of an email.
Claim cl = this.User.Claims.FirstOrDefault(x => x.Type == "sub");
What do I need to change to allow the sub to provide the email of the logged in user?
I've tried adding email or profile as you can see above to the scope that just yields entries in my list of claims with the name "scope" and value "email".
EDIT
It seems like I need to update the scope when generating the token somehow. All the examples I see online use in memory settings where as I get settings from the database. When I call the userinfo endpoint on te API I am also only able to access the "sub" e.g.
{
"sub": "xx"
}
On the IdentityServer side, in your Config class, when you are defining the allowed scopes, make sure it includes email like this:
...
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email
}
...
Then on your client's side, on the startup class, you want to include the email in the scope as well (in your app.UseOpenIdConnectAuthentication method).
...
Scope = "openid profile email",
...
At that point, the email should be accessible when you step through your code on the client side in User.Identity.Claims.
Now, if you want to go one step further, and use the email as the "UserID" when in your client application (instead of the Guid sub), then you can add the following to the app.UseOpenIdConnectAuthentication method on the client:
TokenValidationParameters = {
NameClaimType = "email"
}
这篇关于IdentityServer4如何访问用户电子邮件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
