配置Identity Server以使用ASP.NET身份角色 [英] Configuring Identity Server to use ASP.NET Identity roles
问题描述
我正在尝试了解有关Identity Server的更多信息.我目前正在努力使基于角色的授权工作.这是我遵循的步骤:
I am trying to learn more about Identity Server. I am currently struggling to get Role Based Authorisation working. Here are the steps I have followed:
1)下载示例解决方案: https://github. com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/6_AspNetIdentity
1) Download the sample solution: https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/6_AspNetIdentity
2)运行解决方案,该解决方案开始于:
2) Run the solution, which starts:
a)Identity Server项目
a) Identity Server project
b)MVC项目
c)API项目
3)浏览到MVC项目并应用迁移. 4)注册一个新用户:Bert@Bert.com 5)浏览到:MVC项目中的CallApiUsingUserAccessToken.由于用户已获得授权,因此可以达到预期的API.
3) Browse to the MVC project and apply migrations. 4) Register a new user: Bert@Bert.com 5) Browse to: CallApiUsingUserAccessToken in the MVC project. The API is reached as expected because the user is authorised.
说我现在想从此更改IdentityContoller:
Say I now wanted to change IdentityContoller from this:
[Authorize]
public class IdentityController : ControllerBase
对此:
[Authorize(Roles="Admin")]
public class IdentityController : ControllerBase
and Home Controller (https://github.com/IdentityServer/IdentityServer4.Samples/blob/release/Quickstarts/6_AspNetIdentity/src/MvcClient/Controllers/HomeController.cs) from this:
public async Task<IActionResult> CallApiUsingUserAccessToken()
对此:
[Authorize(Roles="Admin")]
public async Task<IActionResult> CallApiUsingUserAccessToken()
我必须对配置进行哪些更改?
What changes would I have to make to the configuration?
今天下午我尝试了一些建议.例如,在启动MVCClient时,我尝试添加:
I have tried a few suggestions this afternoon. For example, in the startup of the MVCClient I tried adding:
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
请假定我已将角色正确添加到身份数据库(并将角色与用户相关联).
Please assume that I have correctly added the roles to the identity database (and associated the roles with the users).
推荐答案
您正在寻找的是AddProfileService()
方法,您可以在其中添加IProfileService接口的自定义实现,在其中可以自定义声明以添加到访问中令牌.
What you are looking for is the AddProfileService()
method where you can add your custom implementation of the IProfileService interface where you can customize the claims to add to the access token.
这是一个使用Identity的示例,该示例将角色声明添加到令牌中
Here's an example using Identity which adds the role claim to the token
public class ProfileService : IProfileService
{
protected UserManager<ApplicationUser> _userManager;
public ProfileService(UserManager<ApplicationUser> userManager)
{
_userManager = userManager;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var user = await _userManager.GetUserAsync(context.Subject);
var roles = await _userManager.GetRolesAsync(user);
var claims = new List<Claim>
{
new Claim(JwtClaimTypes.Role, roles.Any() ? roles.First() : "Standard")
};
context.IssuedClaims.AddRange(claims);
}
public async Task IsActiveAsync(IsActiveContext context)
{
var user = await _userManager.GetUserAsync(context.Subject);
context.IsActive = (user != null) && user.LockoutEnabled;
}
}
然后在启动中,告诉idp使用您的课程
Then in the startup, tell idp to use your class
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<ProfileService>();
这篇关于配置Identity Server以使用ASP.NET身份角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!