如何使用IdentityServer4为MVC客户端添加其他声明 [英] How to add additional claims for MVC client with IdentityServer4
问题描述
我正在使用IdentityServer4"AspNetCoreAndApis"示例应用程序找到在这里
I'm using the IdentityServer4 "AspNetCoreAndApis" sample application found here
它具有令牌服务器和MVC客户端应用程序.
It has a token server and an MVC client application.
身份服务器项目具有使用其演示服务器设置的外部OIDC身份验证提供程序- https://demo.identityserver .io/
The identity server project has an external OIDC authentication provider set up using their demo server - https://demo.identityserver.io/
在MvcClient
中命中受保护的端点之后,将其重定向到本地身份服务器,选择并通过演示服务器进行身份验证,它到达本地身份服务器的ExternalController
回调.此时,我想向用户发出其他声明,并在MvcClient
中提供这些声明.
After hitting a protected endpoint in MvcClient
, being redirected to the local identity server, choosing and authenticating with the demo server, it reaches the ExternalController
callback of the local identity server. At this point I would like to issue additional claims to the user, and have them be available in MvcClient
.
回调中有添加additionalLocalClaims
并发布Cookie的代码.我尝试添加另一个声明:
There's code in the callback to addadditionalLocalClaims
and issue a cookie. I tried adding another claim:
var additionalLocalClaims = new List<Claim>();
additionalLocalClaims.Add(new Claim("TestKey", "TestValue"));
await HttpContext.SignInAsync(user.SubjectId, user.Username, provider, localSignInProps, additionalLocalClaims.ToArray());
但是,当用户到达MvcClient
的HomeController
时,此声明不存在.
But by the time the user arrives in the HomeController
of MvcClient
this claim is not there.
我认为我不太了解在哪里使用哪种身份验证方案以及相关cookie的功能.
I think I don't properly understand which authentication scheme is being used where, and the function of the relevant cookies.
为响应下面的第一条评论,我尝试将声明附加到请求的作用域,但仍然没有运气-这是内存资源存储区:
In response to the first comment below, I tried attaching a claim to a requested scope, but still no luck - this is the in memory resource store:
public static IEnumerable<ApiResource> Apis
{
get
{
var apiResource = new ApiResource("api1", "My API");
apiResource.UserClaims.Add("TestKey");
var resources = new List<ApiResource>
{
apiResource
};
return resources;
}
}
MvcClient都被允许使用api1范围,并请求它.
The MvcClient is both allowed the api1 scope, and requests it.
推荐答案
您的客户端MVC可以从ID令牌或UserInfo端点获取用户的自定义声明.
Your client MVC could get the user's custom claims from ID token or UserInfo endpoint .
要向ID令牌添加声明,可以设置客户端的配置:AlwaysIncludeUserClaimsInIdToken
.但是,建议不要将所有用户声明都包含在ID令牌中.建议不要担心ID令牌的大小.
To add claims to ID token , you can set client's config :AlwaysIncludeUserClaimsInIdToken
. But involve all user claims in ID token is not recommended concern about the size of ID Token .
一个更好的解决方案是使您的客户端应用从UserInfo端点获取用户的声明:
A better solution is making your client app get user's claims from UserInfo endpoint :
public class MyProfileService : IProfileService
{
public MyProfileService()
{ }
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>()
{
new Claim("TestKey", "TestValue")
};
context.IssuedClaims.AddRange(claims);
return Task.CompletedTask;
}
public Task IsActiveAsync(IsActiveContext context)
{
// await base.IsActiveAsync(context);
return Task.CompletedTask;
}
}
在DI中注册:
services.AddTransient<IProfileService, MyProfileService>();
IProfileService
服务可用于向ID令牌,访问令牌和UserInfo端点添加声明.默认情况下,自定义声明不使用IProfileService
参与ID令牌事件,这是上面解释的原因-ID令牌的大小.因此,您可以使用OIDC中间件config来使您的客户端应用从UserInfo端点获取声明:
The IProfileService
service could be used to add claims to ID Token, Access token and UserInfo endpoint . By default the custom claims won't involve in ID Token event using IProfileService
, the reason explained above - the ID token size . So you can make your client app get claims from UserInfo endpoint with OIDC middleware config :
options.Scope.Add("profile");
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapJsonKey("TestKey", "TestKey");
以上代码将添加OIDC profile
权限以从端点获取声明,并使用ID Token向connect/userinfo
端点发送请求,并获取声明并将名称为TestKey
的声明映射到客户的声明原则并保存饼干.现在,您可以在MVC中使用User.Claims
来获得声明.
Above codes will add OIDC profile
permission to get claims from endpoint , and send a request to connect/userinfo
endpoint with ID Token , and get claims and map claim whose name is TestKey
to your client's claim principle and save to cookie . Now you can get the claims with User.Claims
in MVC .
这篇关于如何使用IdentityServer4为MVC客户端添加其他声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!