如何使用IdentityServer4为MVC客户端添加其他声明 [英] How to add additional claims for MVC client with IdentityServer4

问题描述

我正在使用IdentityServer4"AspNetCoreAndApis"示例应用程序找到在这里

I'm using the IdentityServer4 "AspNetCoreAndApis" sample application found here

它具有令牌服务器和MVC客户端应用程序.

It has a token server and an MVC client application.

身份服务器项目具有使用其演示服务器设置的外部OIDC身份验证提供程序- https://demo.identityserver .io/

The identity server project has an external OIDC authentication provider set up using their demo server - https://demo.identityserver.io/

在MvcClient中命中受保护的端点之后，将其重定向到本地身份服务器，选择并通过演示服务器进行身份验证，它到达本地身份服务器的ExternalController回调.此时，我想向用户发出其他声明，并在MvcClient中提供这些声明.

After hitting a protected endpoint in MvcClient, being redirected to the local identity server, choosing and authenticating with the demo server, it reaches the ExternalController callback of the local identity server. At this point I would like to issue additional claims to the user, and have them be available in MvcClient.

回调中有添加additionalLocalClaims并发布Cookie的代码.我尝试添加另一个声明:

There's code in the callback to addadditionalLocalClaims and issue a cookie. I tried adding another claim:

var additionalLocalClaims = new List<Claim>();
additionalLocalClaims.Add(new Claim("TestKey", "TestValue"));
await HttpContext.SignInAsync(user.SubjectId, user.Username, provider, localSignInProps, additionalLocalClaims.ToArray());

但是，当用户到达MvcClient的HomeController时，此声明不存在.

But by the time the user arrives in the HomeController of MvcClient this claim is not there.

我认为我不太了解在哪里使用哪种身份验证方案以及相关cookie的功能.

I think I don't properly understand which authentication scheme is being used where, and the function of the relevant cookies.

为响应下面的第一条评论，我尝试将声明附加到请求的作用域，但仍然没有运气-这是内存资源存储区:

In response to the first comment below, I tried attaching a claim to a requested scope, but still no luck - this is the in memory resource store:

public static IEnumerable<ApiResource> Apis
    {
        get
        {
            var apiResource = new ApiResource("api1", "My API");
            apiResource.UserClaims.Add("TestKey");
            var resources = new List<ApiResource>
            {
                apiResource
            };
            return resources;
        }
    }

MvcClient都被允许使用api1范围，并请求它.

The MvcClient is both allowed the api1 scope, and requests it.

推荐答案

您的客户端MVC可以从ID令牌或UserInfo端点获取用户的自定义声明.

Your client MVC could get the user's custom claims from ID token or UserInfo endpoint .

要向ID令牌添加声明，可以设置客户端的配置:AlwaysIncludeUserClaimsInIdToken.但是，建议不要将所有用户声明都包含在ID令牌中.建议不要担心ID令牌的大小.

To add claims to ID token , you can set client's config :AlwaysIncludeUserClaimsInIdToken . But involve all user claims in ID token is not recommended concern about the size of ID Token .

一个更好的解决方案是使您的客户端应用从UserInfo端点获取用户的声明:

A better solution is making your client app get user's claims from UserInfo endpoint :

public class MyProfileService : IProfileService
{
    public MyProfileService()
    { }

    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {

        var claims = new List<Claim>()
        {

            new Claim("TestKey", "TestValue")
        };
        context.IssuedClaims.AddRange(claims);
        return Task.CompletedTask;
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        // await base.IsActiveAsync(context);
        return Task.CompletedTask;
    }
}

在DI中注册:

services.AddTransient<IProfileService, MyProfileService>();

IProfileService服务可用于向ID令牌，访问令牌和UserInfo端点添加声明.默认情况下，自定义声明不使用IProfileService参与ID令牌事件，这是上面解释的原因-ID令牌的大小.因此，您可以使用OIDC中间件config来使您的客户端应用从UserInfo端点获取声明:

The IProfileService service could be used to add claims to ID Token, Access token and UserInfo endpoint . By default the custom claims won't involve in ID Token event using IProfileService , the reason explained above - the ID token size . So you can make your client app get claims from UserInfo endpoint with OIDC middleware config :

options.Scope.Add("profile");
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapJsonKey("TestKey", "TestKey");

以上代码将添加OIDC profile权限以从端点获取声明，并使用ID Token向connect/userinfo端点发送请求，并获取声明并将名称为TestKey的声明映射到客户的声明原则并保存饼干.现在，您可以在MVC中使用User.Claims来获得声明.

Above codes will add OIDC profile permission to get claims from endpoint , and send a request to connect/userinfo endpoint with ID Token , and get claims and map claim whose name is TestKey to your client's claim principle and save to cookie . Now you can get the claims with User.Claims in MVC .

这篇关于如何使用IdentityServer4为MVC客户端添加其他声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！