使用IdentityServer 4时如何在Api Project中添加其他声明 [英] How to add additional claims in Api Project when using IdentityServer 4
问题描述
对不起,我的英语.
我有三个项目:IdentityServer,Ensino.Mvc,Ensino.Api. IdentityServer项目提供了IdentityServer4库中的主要身份信息和声明-声明配置文件,声明地址,声明Sid ...等. Ensino.Mvc项目以令牌形式获取此信息,并将其发送到API,以便MVC被授予对资源的访问权限.令牌包含IdentityServer提供的所有声明.但是在API中,我需要生成其他特定于API的声明,例如:声明EnrollmentId,它对应于令牌中的声明Sid.我也想在HttpContext中添加此声明以供将来使用.有人可以告诉我如何实现吗?
I have three projects: IdentityServer, Ensino.Mvc, Ensino.Api. The IdentityServer Project provides the main identity information and claims - claim Profile, claim Address, claim Sid... etc, from the IdentityServer4 library. The Ensino.Mvc Project gets this information in a token and sends it to the API, so that the MVC is grranted access to the resources. The token contains all the claims provided by IdentityServer. But in the API, I need to generate other claims that are API specific, like: claim EnrollmentId that corresponds to claim Sid from the token. And also I want to add this claim in HttpContext for future purposes. Can somebody tell me how to achieve this?
我在Startup.ConfigureServices中有以下代码:
I have this code in Startup.ConfigureServices:
// Add identity services
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5100";
options.RequireHttpsMetadata = false;
options.ApiName = "beehouse.scope.ensino-api";
});
// Add mvc services
services.AddMvc();
在没有API的其他项目中,只有mvc,我继承了UserClaimsPrincipalFactory并覆盖了CreateAsync来添加其他声明.我喜欢在API项目中做类似的事情.有可能吗?
In other Project, without API, just mvc, I have inherited UserClaimsPrincipalFactory and overridden CreateAsync to add additional claims. I like to do something like this but in the API project. Is it possible?
执行此操作的最佳方法是什么?
What the best approach to do this?
经过研究,我想做的是:通过IdentityServer进行身份验证,并根据声明和特定的api数据库数据在api中设置授权.
After some research, what I want to do is: Authentication by IdentityServer and set authorization in api, based on claims and specific api database data.
推荐答案
在您的API项目中,您可以将自己的事件处理程序添加到options.JwtBearerEvents.OnTokenValidated.这是设置ClaimsPrincipal的地方,您可以向身份添加声明或向委托人添加新身份.
In your API project you can add your own event handler to options.JwtBearerEvents.OnTokenValidated. This is the point where the ClaimsPrincipal has been set and you can add claims to the identity or add a new identity to the principal.
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:5100";
options.RequireHttpsMetadata = false;
options.ApiName = "beehouse.scope.ensino-api";
options.JwtBearerEvents.OnTokenValidated = async (context) =>
{
var identity = context.Principal.Identity as ClaimsIdentity;
// load user specific data from database
...
// add claims to the identity
identity.AddClaim(new Claim("Type", "Value"));
};
});
请注意,此操作将在对API的每个请求上运行,因此,如果您要从数据库加载信息,则最好缓存声明.
Note that this will run on every request to the API so it's best to cache the claims if you're loading info from database.
此外,Identity Server仅应负责标识用户,而不是标识用户的身份.它们的作用是特定于应用程序的(角色,权限等),因此您正确地认识到这一点并避免了与Identity Server的逻辑交叉.
Also, Identity Server should only be responsible for identifying users, not what they do. What they do is application specific (roles, permissions etc.) so you're correct in recognising this and avoiding the logic crossover with Identity Server.
这篇关于使用IdentityServer 4时如何在Api Project中添加其他声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
