如何将声明包括在从授权端点检索的访问令牌中? [英] How do I include claims into the Access Token retrieved from the Authorize endpoint?
问题描述
我想在通过IdSrv进行身份验证时检索的访问令牌中默认包含一个声明.声明 默认情况下,如何将该声明包含在访问令牌中? 给我的印象是,请求 范围 索赔 IDSrv配置 Web配置 日志 有问题的日志输出... 更新2:好的,现在我仔细看,您有 更新1:要加入令牌的声明应添加在 原始:将范围类型从 I want to include a claim by default in the access token retrieved when I Authenticate via IdSrv. The Claim How can I include this claim into the access token by default? I was under the impression that requesting a Scopes Claims IDSrv Config Web config Logs The log output in question...
Update 2: Ok now that I look closer, you have Update 1: Claims that you want to go into tokens should be added in Original: Change the type of scope from 这篇关于如何将声明包括在从授权端点检索的访问令牌中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋! Ticket 应该始终包含在访问令牌中,因此,我创建了一个新范围,它是一个资源范围,并包含了 Ticket 作为 ScopeClaim .但是,从IdSrv日志中可以看到,当IdSrv创建访问令牌并调用 GetProfileDataAsync 时,上下文中请求的声明的列表为空,因此没有声明添加到访问令牌. Resource 范围将允许将范围中的声明作为访问令牌的一部分返回.
公共静态列表< Scope>得到(){返回新的List< Scope>{StandardScopes.OpenId//处理开放ID连接时的标准范围,StandardScopes.OfflineAccess,新范围{名称="App",DisplayName ="App",类型= ScopeType.Identity,索赔=新的List< ScopeClaim>{新的ScopeClaim{AlwaysIncludeInIdToken = false,名称="App",描述=角色信息"},//新的ScopeClaim//{//AlwaysIncludeInIdToken = false,//Name ="Ticket",//说明=登录票"//}},IncludeAllClaimsForUser =假},新范围{名称="AppAccess",DisplayName ="AppAccess",类型= ScopeType.Resource,索赔=新的List< ScopeClaim>{新的ScopeClaim{名称=门票",Description =登录票",}},IncludeAllClaimsForUser = true}};
公共静态列表< Client>得到(){返回新的List< Client>{新客户{ClientName =混合流",ClientId ="apphybrid",启用=真,流量=流量.AllowAccessToAllScopes = true,IdentityTokenLifetime = 120,AccessTokenLifetime = 400,RequireConsent =否,ClientSecrets = new List< Secret>{新的Secret("secret" .Sha256())},RedirectUris = new List< string>{本地主机/应用程序/登录/Login.mr"},PostLogoutRedirectUris = new List< string>{本地主机/应用程序/登录/Login.mr"},AllowedScopes = new List< string>{Constants.StandardScopes.OpenId,Constants.StandardScopes.OfflineAccess,应用程序","AppAccess"}}};}
公共重写任务AuthenticateLocalAsync(LocalAuthenticationContext上下文){var securityServiceProxy = new SecurityServiceProxy(new ServiceHeadersParameters {UserHostAddress = Ctx.Request.Host.Value});var ticket = securityServiceProxy.UseServiceClient(serviceClient => serviceClient.AuthenticateUser(context.UserName,context.Password,Configuration.ProviderCode));如果(!ticket.IsValid()){context.AuthenticateResult =新的AuthenticateResult(无效的凭证");返回Task.FromResult(0);}var Claims = new List< Claim>{新的Claim(GlobalConstant.TicketClaim,ticket.Ticket.ToString())};context.AuthenticateResult =新的AuthenticateResult(ticket.UserObjId.ToString(),context.UserName,索赔:索赔,authenticationMethod:Constants.AuthenticationMethods.Password,identityProvider:Configuration.ProviderCode);返回Task.FromResult(0);}公共重写任务GetProfileDataAsync(ProfileDataRequestContext上下文){var applicationDto = GetApplicationDto(上下文);var Claims = new List< Claim>{新的Claim(Constants.ClaimTypes.Subject,context.Subject.GetSubjectId()),};Log.Debug(请求的要求...");如果(context.RequestedClaimTypes == null){Log.Debug("Requested Claims为空");}别的{foreach(var x in context.RequestedClaimTypes){Log.Debug($索赔{x}");}如果(context.RequestedClaimTypes.Contains(GlobalConstant.TicketClaim))Claims.Add(context.Subject.Claims.Where(x => x.Type.Equals(GlobalConstant.TicketClaim)).FirstOrDefault());如果(context.RequestedClaimTypes.Contains(GlobalConstant.ApplicationClaim))Claims.Add(new Claim(GlobalConstant.ApplicationClaim,applicationDto.Jsonify()));}//设置已发布的声明-如果有的话,这些是已请求的声明context.IssuedClaims =索赔;Log.Debug("Finished ProfileDataAsync");返回Task.FromResult(0);}私有ApplicationDto GetApplicationDto(ProfileDataRequestContext上下文){var securityServiceProxy = new SecurityServiceProxy(new ServiceHeadersParameters {UserHostAddress = Ctx.Request.Host.Value});返回securityServiceProxy.UseServiceClient(serviceClient => serviceClient.RetrieveAuthenticatedUser(GetUserTicketFromContext(context)));}私有静态UserTicketDto GetUserTicketFromContext(ProfileDataRequestContext上下文){Log.Debug(上下文中的声明...");foreach(var x in context.Subject.Claims){Log.Debug($"Cliams {x.Type} {x.Value}");}var ticketString = context.Subject.Claims.Where(x => x.Type.Equals(GlobalConstant.TicketClaim)).FirstOrDefault()?. Value;var userIdString = context.Subject.GetSubjectId();Guid Ticket,UserId;if(Guid.TryParse(ticketString,out Ticket)&& Guid.TryParse(userIdString,out UserId)){返回新的UserTicketDto {Ticket = Ticket,UserObjId = UserId};}返回新的UserTicketDto();}
JwtSecurityTokenHandler.InboundClaimTypeMap = new字典< string,string>();AntiForgeryConfig.UniqueClaimTypeIdentifier = IdentityModel.JwtClaimTypes.Name;app.Use(async(ctx,next)=> {等待next();});app.UseCookieAuthentication(new CookieAuthenticationOptions{AuthenticationType ="cookies"});app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions{ClientId = OAuthConstant.Client,RedirectUri =本地主机/应用程序/登录/Login.mr",PostLogoutRedirectUri =本地主机/应用程序/登录/Login.mr",Authority ="localhost/Oauth2server/securetoken",SignInAsAuthenticationType ="Cookies",ResponseType =令牌代码id_token",Scope ="OpenId App offline_access AppAccess",ClientSecret =秘密",UseTokenLifetime = false,通知=新的OpenIdConnectAuthenticationNotifications(){AuthorizationCodeReceived = IdentityServerClient.HandleOther,SecurityTokenReceived = IdentityServerClient.HandleOther,MessageReceived = IdentityServerClient.HandleOther,AuthenticationFailed = IdentityServerClient.HandleOther,RedirectToIdentityProvider = IdentityServerClient.HandleRedirectToIdentityProvider,SecurityTokenValidated = IdentityServerClient.HandleSecurityTokenValidated}});
2016-06-15 12:04:51.943 -05:00 [信息]登录页面已提交2016-06-15 12:04:55.320 -05:00 [信息]用户服务成功验证了登录凭据2016-06-15 12:04:55.332 -05:00 [信息]在用户服务上调用PostAuthenticateAsync2016-06-15 12:04:55.338 -05:00 [信息]发出主要登录Cookie2016-06-15 12:04:55.344 -05:00 [信息]重定向到:http://localhost/OAuth2Server/securetoken/connect/authorize?client_id = apphybrid& redirect_uri = http:%2F%2Flocalhost%2Fapp%2FLogin%2FLogin.mr&安培; response_mode = form_post&安培; RESPONSE_TYPE =代码id_token令牌安培;范围=应用的OpenID offline_access AppAccess&安培;状态= OpenIdConnect.AuthenticationProperties%3DebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF&安培;随机数= 636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg52016-06-15 12:04:55.368 -05:00 [Debug]传入请求:/securetoken/connect/authorize2016-06-15 12:04:55.381 -05:00 [信息]开始授权请求2016-06-15 12:04:55.381 -05:00 [信息]开始授权请求协议验证2016-06-15 12:04:55.381 -05:00 [信息]授权请求验证成功""{\"ClientId \":\"apphybrid \",\"ClientName \":\"app Hybrid Flow \",\"RedirectUri \":\"http://localhost/app/Login/Login.mr \",\"AllowedRedirectUris \":[\"http://localhost/app/Login/Login.mr \"],\"SubjectId \":\"783bf872-b864-4042-853d-04fbcb7a505a \",\"ResponseType \":\代码id_token令牌\",\"ResponseMode \":\"form_post \",\"Flow \":\"Hybrid \",\"RequestedScopes \":\"app openid offline_access appAccess \",\ 国家\":\ OpenIdConnect.AuthenticationProperties = ebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF \",\"Nonce \":\"636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5 \"\"SessionId \":\"e79cd97a339b4513b45038e7755c1b88 \",\生的\": {\"client_id \":\"apphybrid \",\"redirect_uri \":\"http://localhost/app/Login/Login.mr \",\"response_mode \":\"form_post \",\"response_type \":\代码id_token令牌\",\"scope \":\"app openid offline_access appAccess \",\ 状态\":\ OpenIdConnect.AuthenticationProperties = ebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF \",\"nonce \":\"636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5 \"}}"2016-06-15 12:04:55.399 -05:00 [信息]创建混合流响应.2016-06-15 12:04:55.412 -05:00 [信息]创建隐式流响应.2016-06-15 12:04:55.416 -05:00 [调试]创建访问令牌2016-06-15 12:04:55.424 -05:00 [调试]获取ProfileDataAsync2016-06-15 12:04:55.436 -05:00 [Debug]上下文中的声明...2016-06-15 12:04:55.437 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a2016-06-15 12:04:55.437 -05:00 [Debug] Cliams名称dev.guser2016-06-15 12:04:55.437 -05:00 [Debug] Cliams amr password2016-06-15 12:04:55.437 -05:00 [Debug] Cliams idp IDSRV2016-06-15 12:04:55.437 -05:00 [Debug] Cliams auth_time 14660102952016-06-15 12:04:55.437 -05:00 [Debug] Cliams票证fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a2016-06-15 12:04:55.975 -05:00 [Debug]重新要求的声明...2016-06-15 12:04:55.976 -05:00 [Debug]请求的声明为空2016-06-15 12:04:55.976 -05:00 [Debug]完成ProfileDataAsync2016-06-15 12:04:55.982 -05:00 [调试]创建JWT访问令牌2016-06-15 12:04:56.049 -05:00 [调试]创建身份令牌2016-06-15 12:04:56.054 -05:00 [信息]获取主题的身份令牌声明:783bf872-b864-4042-853d-04fbcb7a505a2016-06-15 12:04:56.054 -05:00 [调试]获取ProfileDataAsync2016-06-15 12:04:56.066 -05:00 [Debug]上下文中的声明...2016-06-15 12:04:56.066 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a2016-06-15 12:04:56.066 -05:00 [Debug] Cliams名称dev.guser2016-06-15 12:04:56.066 -05:00 [Debug] Cliams amr password2016-06-15 12:04:56.066 -05:00 [Debug] Cliams idp IDSRV2016-06-15 12:04:56.066 -05:00 [Debug] Cliams auth_time 14660102952016-06-15 12:04:56.066 -05:00 [Debug] Cliams票证fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a2016-06-15 12:04:56.338 -05:00 [Debug]重新要求的声明...2016-06-15 12:04:56.338 -05:00 [Debug] Cliams子2016-06-15 12:04:56.338 -05:00 [Debug]完成ProfileDataAsync2016-06-15 12:04:56.338 -05:00 [调试]创建JWT身份令牌2016-06-15 12:04:56.344 -05:00 [调试]将客户端"apphybrid"添加到主题"783bf872-b864-4042-853d-04fbcb7a505a"的客户端列表Cookie2016-06-15 12:04:56.349 -05:00 [信息]终止授权请求2016-06-15 12:04:56.352 -05:00 [信息]发布到http://localhost/app/Login/Login.mr2016-06-15 12:04:56.352 -05:00 [Debug]使用AssetManager呈现授权响应HTML2016-06-15 12:04:56.388 -05:00 [Debug]传入请求:/securetoken/assets/app.FormPostResponse.js//网页2016-06-15 12:04:56,422 [16]调试app.Web.IdentityServer.IdentityServerClient触发的MessageReceivedNotification`2通知2016-06-15 12:04:56,426 [16]调试app.Web.IdentityServer.IdentityServerClient触发了SecurityTokenReceivedNotification`2通知2016-06-15 12:04:56,487 [16]调试app.Web.IdentityServer.IdentityServerClient触发的SecurityTokenValidated通知2016-06-15 12:04:56,487 [16]调试app.Web.IdentityServer.IdentityServerClient身份声明2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:iss http://localhost/OAuth2Server/securetoken2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient索赔:aud apphybrid2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient索赔:exp 14660104162016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient索赔:nbf 14660102962016年6月15日12:04:56488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient要求:随机数636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg52016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient索赔:iat 14660102962016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:at_hash 6pIu3P1cEeTQJMcK8Gcnhw2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:c_hash VsSw9HC0xyodlSkSCZefLw2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:sid e79cd97a339b4513b45038e7755c1b882016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient索赔:子783bf872-b864-4042-853d-04fbcb7a505a2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:auth_time 14660102952016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:idp IDSRV2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient声明:amr密码2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient访问令牌:[省略]2016-06-15 12:04:56,488 [16]调试app.Web.IdentityServer.IdentityServerClient ID令牌:[已省略]2016-06-15 12:04:56,491 [16]调试app.Web.IdentityServer.IdentityServerClient触发AuthenticationFailedNotification`2通知//网页//日志
2016-06-15 12:04:55.412 -05:00 [信息]创建隐式流响应.2016-06-15 12:04:55.416 -05:00 [调试]创建访问令牌2016-06-15 12:04:55.424 -05:00 [调试]获取ProfileDataAsync2016-06-15 12:04:55.436 -05:00 [Debug]上下文中的声明...2016-06-15 12:04:55.437 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a2016-06-15 12:04:55.437 -05:00 [Debug] Cliams名称dev.guser2016-06-15 12:04:55.437 -05:00 [Debug] Cliams amr password2016-06-15 12:04:55.437 -05:00 [Debug] Cliams idp IDSRV2016-06-15 12:04:55.437 -05:00 [Debug] Cliams auth_time 14660102952016-06-15 12:04:55.437 -05:00 [Debug] Cliams票证fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a<-有我想要的声明2016-06-15 12:04:55.975 -05:00 [Debug]重新要求的声明...2016-06-15 12:04:55.976 -05:00 [Debug]请求的声明为空<-,但这需要表明我们想要该声明...2016-06-15 12:04:55.976 -05:00 [Debug]完成ProfileDataAsync IncludeAllClaimsForUser = true .在GetProfileData中,上下文中有一个可比较的标志.我怀疑这就是为什么您的收藏夹中没有版权声明. GetProfile 中,而不是 AuthentivcateLocal 方法中的 AuthenticateResult 中./p> Identity 更改为 Resource .这会影响索赔使用的令牌.Ticket should always be included in the access token, as such I have created a new scope that is a resource scope and included Ticket as a ScopeClaim. However as you can see from the IdSrv logs when IdSrv is creating the access token and calls GetProfileDataAsync the list of requested claims in the context is empty, and so no claims are added to the access token.Resource scope would allow the claims in the scope to be returned as part of the access token. public static List<Scope> Get()
{
return new List<Scope>
{
StandardScopes.OpenId //standard scope when dealing with open id connect
,
StandardScopes.OfflineAccess
,
new Scope
{
Name = "App",
DisplayName = "App",
Type = ScopeType.Identity,
Claims = new List<ScopeClaim>
{
new ScopeClaim
{
AlwaysIncludeInIdToken = false,
Name = "App",
Description = "Role Information"
},
// new ScopeClaim
// {
// AlwaysIncludeInIdToken = false,
// Name = "Ticket",
// Description = "Login ticket"
// }
},
IncludeAllClaimsForUser = false
},
new Scope
{
Name = "AppAccess",
DisplayName = "AppAccess",
Type = ScopeType.Resource,
Claims = new List<ScopeClaim>
{
new ScopeClaim
{
Name = "Ticket",
Description = "Login ticket",
}
},
IncludeAllClaimsForUser = true
}
};
public static List<Client> Get()
{
return new List<Client>
{
new Client
{
ClientName = "Hybrid Flow",
ClientId = "apphybrid",
Enabled = true,
Flow = Flows.Hybrid,
AllowAccessToAllScopes = true,
IdentityTokenLifetime = 120,
AccessTokenLifetime = 400,
RequireConsent = false,
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
RedirectUris = new List<string>
{
"localhost/App/login/Login.mr"
},
PostLogoutRedirectUris = new List<string>
{
"localhost/App/login/Login.mr"
},
AllowedScopes = new List<string>
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.OfflineAccess,
"App",
"AppAccess"
}
}
};
}
public override Task AuthenticateLocalAsync(LocalAuthenticationContext context)
{
var securityServiceProxy = new SecurityServiceProxy(new ServiceHeadersParameters { UserHostAddress = Ctx.Request.Host.Value });
var ticket = securityServiceProxy.UseServiceClient(serviceClient => serviceClient.AuthenticateUser(context.UserName, context.Password, Configuration.ProviderCode));
if (!ticket.IsValid())
{
context.AuthenticateResult = new AuthenticateResult("Invalid credentials");
return Task.FromResult(0);
}
var claims = new List<Claim> {
new Claim(GlobalConstant.TicketClaim, ticket.Ticket.ToString())
};
context.AuthenticateResult = new AuthenticateResult(
ticket.UserObjId.ToString(),
context.UserName,
claims: claims,
authenticationMethod: Constants.AuthenticationMethods.Password,
identityProvider: Configuration.ProviderCode
);
return Task.FromResult(0);
}
public override Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var applicationDto = GetApplicationDto(context);
var claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, context.Subject.GetSubjectId()),
};
Log.Debug("The requested claims...");
if (context.RequestedClaimTypes == null)
{
Log.Debug("Requested Claims is null");
}
else
{
foreach (var x in context.RequestedClaimTypes)
{
Log.Debug($"Claims {x}");
}
if (context.RequestedClaimTypes.Contains(GlobalConstant.TicketClaim))
claims.Add(context.Subject.Claims.Where(x => x.Type.Equals(GlobalConstant.TicketClaim)).FirstOrDefault());
if (context.RequestedClaimTypes.Contains(GlobalConstant.ApplicationClaim))
claims.Add(new Claim(GlobalConstant.ApplicationClaim, applicationDto.Jsonify()));
}
// set the issued claims - these are the ones that were requested, if available
context.IssuedClaims = claims;
Log.Debug("Finished ProfileDataAsync");
return Task.FromResult(0);
}
private ApplicationDto GetApplicationDto(ProfileDataRequestContext context)
{
var securityServiceProxy = new SecurityServiceProxy(new ServiceHeadersParameters { UserHostAddress = Ctx.Request.Host.Value });
return securityServiceProxy.UseServiceClient(serviceClient => serviceClient.RetrieveAuthenticatedUser(GetUserTicketFromContext(context)));
}
private static UserTicketDto GetUserTicketFromContext(ProfileDataRequestContext context)
{
Log.Debug("The claims in the context...");
foreach(var x in context.Subject.Claims)
{
Log.Debug($"Cliams {x.Type} {x.Value}");
}
var ticketString = context.Subject.Claims.Where(x => x.Type.Equals(GlobalConstant.TicketClaim)).FirstOrDefault()?.Value;
var userIdString = context.Subject.GetSubjectId();
Guid Ticket, UserId;
if(Guid.TryParse(ticketString, out Ticket) && Guid.TryParse(userIdString, out UserId))
{
return new UserTicketDto { Ticket = Ticket, UserObjId = UserId };
}
return new UserTicketDto();
}
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
AntiForgeryConfig.UniqueClaimTypeIdentifier = IdentityModel.JwtClaimTypes.Name;
app.Use(async (ctx, next) => { await next(); });
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = OAuthConstant.Client,
RedirectUri = "localhost/App/login/Login.mr",
PostLogoutRedirectUri = "localhost/App/login/Login.mr",
Authority = "localhost/Oauth2server/securetoken",
SignInAsAuthenticationType = "Cookies",
ResponseType = "token code id_token",
Scope = "OpenId App offline_access AppAccess",
ClientSecret = "secret",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthorizationCodeReceived = IdentityServerClient.HandleOther,
SecurityTokenReceived = IdentityServerClient.HandleOther,
MessageReceived = IdentityServerClient.HandleOther,
AuthenticationFailed = IdentityServerClient.HandleOther,
RedirectToIdentityProvider = IdentityServerClient.HandleRedirectToIdentityProvider,
SecurityTokenValidated = IdentityServerClient.HandleSecurityTokenValidated
}
});
2016-06-15 12:04:51.943 -05:00 [Information] Login page submitted
2016-06-15 12:04:55.320 -05:00 [Information] Login credentials successfully validated by user service
2016-06-15 12:04:55.332 -05:00 [Information] Calling PostAuthenticateAsync on the user service
2016-06-15 12:04:55.338 -05:00 [Information] issuing primary signin cookie
2016-06-15 12:04:55.344 -05:00 [Information] redirecting to: http://localhost/OAuth2Server/securetoken/connect/authorize?client_id=apphybrid&redirect_uri=http:%2F%2Flocalhost%2Fapp%2FLogin%2FLogin.mr&response_mode=form_post&response_type=code id_token token&scope=App openid offline_access AppAccess&state=OpenIdConnect.AuthenticationProperties%3DebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF&nonce=636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5
2016-06-15 12:04:55.368 -05:00 [Debug] Incoming request: /securetoken/connect/authorize
2016-06-15 12:04:55.381 -05:00 [Information] Start authorize request
2016-06-15 12:04:55.381 -05:00 [Information] Start authorize request protocol validation
2016-06-15 12:04:55.381 -05:00 [Information] "Authorize request validation success"
"{
\"ClientId\": \"apphybrid\",
\"ClientName\": \"app Hybrid Flow\",
\"RedirectUri\": \"http://localhost/app/Login/Login.mr\",
\"AllowedRedirectUris\": [
\"http://localhost/app/Login/Login.mr\"
],
\"SubjectId\": \"783bf872-b864-4042-853d-04fbcb7a505a\",
\"ResponseType\": \"code id_token token\",
\"ResponseMode\": \"form_post\",
\"Flow\": \"Hybrid\",
\"RequestedScopes\": \"app openid offline_access appAccess\",
\"State\": \"OpenIdConnect.AuthenticationProperties=ebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF\",
\"Nonce\": \"636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5\",
\"SessionId\": \"e79cd97a339b4513b45038e7755c1b88\",
\"Raw\": {
\"client_id\": \"apphybrid\",
\"redirect_uri\": \"http://localhost/app/Login/Login.mr\",
\"response_mode\": \"form_post\",
\"response_type\": \"code id_token token\",
\"scope\": \"app openid offline_access appAccess\",
\"state\": \"OpenIdConnect.AuthenticationProperties=ebxFcJnjMiMq2m1gPqBsYlrBWdLct2kaJSYn-s0nxImnff-37i4t8Wa3wAJewJGFe9msgeeqJDKtR1gwwfA0e8Pdd6RNAi6YPo_CqT4l5zV8ifohYQVN9TrWfLXITXuKId9IW2cCeRQL6d8uWfkzSANqAGSbSGJYZ5pgOLULQresbAiJ7N77FgBmgrVtX4hDQuwGGL5vZFCb_C5tjl8_ezH12w8zQfifKuLwjaDmOSGYyo2AqpowQXXeSSSDgKBF\",
\"nonce\": \"636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5\"
}
}"
2016-06-15 12:04:55.399 -05:00 [Information] Creating Hybrid Flow response.
2016-06-15 12:04:55.412 -05:00 [Information] Creating Implicit Flow response.
2016-06-15 12:04:55.416 -05:00 [Debug] Creating access token
2016-06-15 12:04:55.424 -05:00 [Debug] Getting ProfileDataAsync
2016-06-15 12:04:55.436 -05:00 [Debug] The claims in the context...
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams name dev.guser
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams amr password
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams idp IDSRV
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams auth_time 1466010295
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams ticket fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a
2016-06-15 12:04:55.975 -05:00 [Debug] The requseted claims...
2016-06-15 12:04:55.976 -05:00 [Debug] Requested Claims Is Null
2016-06-15 12:04:55.976 -05:00 [Debug] Finished ProfileDataAsync
2016-06-15 12:04:55.982 -05:00 [Debug] Creating JWT access token
2016-06-15 12:04:56.049 -05:00 [Debug] Creating identity token
2016-06-15 12:04:56.054 -05:00 [Information] Getting claims for identity token for subject: 783bf872-b864-4042-853d-04fbcb7a505a
2016-06-15 12:04:56.054 -05:00 [Debug] Getting ProfileDataAsync
2016-06-15 12:04:56.066 -05:00 [Debug] The claims in the context...
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams name dev.guser
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams amr password
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams idp IDSRV
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams auth_time 1466010295
2016-06-15 12:04:56.066 -05:00 [Debug] Cliams ticket fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a
2016-06-15 12:04:56.338 -05:00 [Debug] The requseted claims...
2016-06-15 12:04:56.338 -05:00 [Debug] Cliams sub
2016-06-15 12:04:56.338 -05:00 [Debug] Finished ProfileDataAsync
2016-06-15 12:04:56.338 -05:00 [Debug] Creating JWT identity token
2016-06-15 12:04:56.344 -05:00 [Debug] Adding client "apphybrid" to client list cookie for subject "783bf872-b864-4042-853d-04fbcb7a505a"
2016-06-15 12:04:56.349 -05:00 [Information] End authorize request
2016-06-15 12:04:56.352 -05:00 [Information] Posting to http://localhost/app/Login/Login.mr
2016-06-15 12:04:56.352 -05:00 [Debug] Using AssetManager to render authorization response HTML
2016-06-15 12:04:56.388 -05:00 [Debug] Incoming request: /securetoken/assets/app.FormPostResponse.js
//Web
2016-06-15 12:04:56,422 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Triggered MessageReceivedNotification`2 notification
2016-06-15 12:04:56,426 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Triggered SecurityTokenReceivedNotification`2 notification
2016-06-15 12:04:56,487 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Triggered SecurityTokenValidated notification
2016-06-15 12:04:56,487 [16] DEBUG app.Web.IdentityServer.IdentityServerClient The Claims in the identity
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: iss http://localhost/OAuth2Server/securetoken
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: aud apphybrid
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: exp 1466010416
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: nbf 1466010296
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: nonce 636016067018002117.MWY4MGVjOWItYTFjYS00MTVlLTg4MDYtMjYxYjkwMWEzNzU4ZWViNzEyNTQtMjE0Mi00MjYzLTk2ZjMtODdhYmIxYTM5Mjg5
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: iat 1466010296
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: at_hash 6pIu3P1cEeTQJMcK8Gcnhw
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: c_hash VsSw9HC0xyodlSkSCZefLw
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: sid e79cd97a339b4513b45038e7755c1b88
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: sub 783bf872-b864-4042-853d-04fbcb7a505a
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: auth_time 1466010295
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: idp IDSRV
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Claims: amr password
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient The access token: [Omitted]
2016-06-15 12:04:56,488 [16] DEBUG app.Web.IdentityServer.IdentityServerClient The id token: [Omitted]
2016-06-15 12:04:56,491 [16] DEBUG app.Web.IdentityServer.IdentityServerClient Triggered AuthenticationFailedNotification`2 notification
//Web
//Logs
2016-06-15 12:04:55.412 -05:00 [Information] Creating Implicit Flow response.
2016-06-15 12:04:55.416 -05:00 [Debug] Creating access token
2016-06-15 12:04:55.424 -05:00 [Debug] Getting ProfileDataAsync
2016-06-15 12:04:55.436 -05:00 [Debug] The claims in the context...
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams sub 783bf872-b864-4042-853d-04fbcb7a505a
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams name dev.guser
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams amr password
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams idp IDSRV
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams auth_time 1466010295
2016-06-15 12:04:55.437 -05:00 [Debug] Cliams ticket fc05cd84-7756-4ec5-ac3c-53ac6d4d5e2a <- Has the claim I want
2016-06-15 12:04:55.975 -05:00 [Debug] The requseted claims...
2016-06-15 12:04:55.976 -05:00 [Debug] Requested Claims Is Null <- but this needs to indicate that we want that claim...
2016-06-15 12:04:55.976 -05:00 [Debug] Finished ProfileDataAsync
IncludeAllClaimsForUser = true. In the GetProfileData there's a comparable flag on the context. I suspect that's why you have no claims in the collection.GetProfile not in the AuthenticateResult in the AuthentivcateLocal method.Identity to Resource. This affects which tokens the claims go into.
