IdentityServer,声明和角色 [英] IdentityServer, Claims and Roles
问题描述
我正在使用Identity Server v4(但我认为与v3相同)和.NET Core.
I'm playing with Identity Server v4 (but I thinks is the same with v3) and .NET Core.
现在,我遇到了一个我不明白的奇怪问题.
Right now I've strange issue that I don't understand.
在我的MVC应用程序中,我使用 [Authorize(Roles ="Geek")] 保护我的控制器/动作. 从 HttpContext 查找当前用户,所有角色都可以作为声明而非角色使用(实际上 User.IsInRole("Geek")返回false).
From my MVC application I use the [Authorize(Roles="Geek")] to protect my controllers/actions. Looking the current User from the HttpContext all the Roles are available as Claims and not as Roles (in fact User.IsInRole("Geek") return false).
此外,我不能将Claims与 authorize属性一起使用,因为所有角色都使用相同的键(当然是角色")存储在Claims集合中.
Moreover I can't use the Claims with the authorize attribute because all role are stored into the claims collection with the same key ("role" of course).
是否有一种方法可以自动使所有带有键角色"的索偿同时充当当前委托人的角色?
Is there a way to have automatically all the claims with the key "role" also as role for the current principal?
我尝试玩令牌验证事件",但没有成功.
I tried to play with "on token validate event" but without success.
我正在尝试示例存储库,因此我的代码与 https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/MVC%20and%20API
I'm trying the sample repo, so my code is pretty the same of this https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/MVC%20and%20API
有任何提示吗?
推荐答案
Do the role claims have a "Type" property value of "role" or is it a URI like "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"? If it is "role" rather than a URI you may be setting your InboundClaimTypeMap to an empty dictionary as described in the documentation (see Claims Transformation section here). If you have the following line in your startup code try removing it:
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
默认的InboundClaimTypeMap将一些JWT声明映射到使用完整URI的System.Security.Claims.ClaimTypes中.映射的角色之一是角色.
The default InboundClaimTypeMap will map some JWT claims into System.Security.Claims.ClaimTypes which use a full URI. One of those mapped is role.
ClaimsIdentity的IsInRole方法将使用名为RoleClaimType的属性来确定与声明的Type属性相匹配的字符串值,以查找可用角色的列表.然后,将所需的角色文本与匹配声明的结果列表中的值进行匹配.默认的ClaimsIdentity将使用System.Security.Claims.ClaimTypes.Role查找身份中的角色声明.
A ClaimsIdentity's IsInRole method will use a property called RoleClaimType to determine the string value to match against a claim's Type property to find the list of available roles. Your required role text is then matched against the values in the resulting list of matching claims. A default ClaimsIdentity will use System.Security.Claims.ClaimTypes.Role to look for role claims in the identity.
如果您希望您的应用继续使用JWT声明类型语法,则需要在SecurityTokenValidated Notification事件中创建一个新的ClaimsIdentity. ClaimsIdentity构造函数允许您指定匹配声明角色时要使用的文本.在这种情况下,文本将只是角色".
If you want your app to continue to use JWT claim type syntax you will need to create a new ClaimsIdentity in a SecurityTokenValidated Notification event. The ClaimsIdentity constructor allows you to specify the text to use when matching claim roles. In this case the text would be just "role".
这篇关于IdentityServer,声明和角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
