IdentityServer4:为 Client_Credential Granttype 向客户端主体添加自定义默认声明 [英] IdentityServer4: Add Custom default Claim to Client Principal for Client_Credential Granttype

问题描述

我正在使用 IdentityServer4，并尝试在创建令牌时向我的 CLIENT 添加自定义默认声明.如果我使用如下所示的隐式流和 IProfileService，这是可能的.

I am using IdentityServer4 and I am trying to add a custom default claim to my CLIENT when the token is created. This is possible if i use the implicit flow and IProfileService like shown below.

public class MyProfileService : IProfileService
{
    public MyProfileService()
    {

    }
    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var claims = new List<Claim>
        {
            new Claim("DemoClaimType", "DemoClaimValue")
        };
        context.IssuedClaims = claims;
        return Task.FromResult(0);
    }
    public Task IsActiveAsync(IsActiveContext context)
    {
        context.IsActive = true;
        return Task.FromResult(0);
    }
}

在我的创业公司

services.AddIdentityServer()
            .AddProfileService<MyProfileService>()

但是，这不适用于具有 client_credential 授权类型的客户端，因为它似乎 无法在客户端凭据流中请求 OpenID 范围.事实证明，Iprofileservice 顾名思义适用于 Identity 资源，其中 OpenId 范围(如配置文件)有效.因为我无法请求具有 client_credential 授权类型的配置文件范围 GetProfileDataAsync 永远不会被调用.

However this does not work with my client with client_credential granttype since it seems cannot request OpenID scopes in client credentials flow. It turns out Iprofileservice like the name implies works for Identity Resources where the OpenId scopes like profile is valid. since am unable to request profile scopes with client_credential grant type GetProfileDataAsync never gets called.

由于我只与客户合作，没有用户，我需要一种将声明注入令牌的方法，而不必像下面这样将它们添加到客户端对象中

Since am working only with clients and no users I need a way to inject claims into the token without having to add them to the client object like below

    new Client
{
    ClientId = "myclient",
    ClientName = "My Client",
    AllowedGrantTypes = GrantTypes.ClientCredentials,
    ClientSecrets = {new Secret("secret".Sha256())},
    AllowedScopes = new List<string> {"api"},                    
    AllowOfflineAccess = true,

    //I Don't want to do this
    Claims = new List<Claim>
    {   
        new Claim("type","value")
    }
}

我不希望上述情况，因为我不希望声明成为数据库中 client_claims 的一部分.我需要根据令牌请求即时创建它.我希望我的问题现在更清楚了.

I do not want the above because i do not want the the claim to be part of the client_claims in the database. I need to create it on the fly on token request. I hope my question is clearer now.

推荐答案

通过一些询问，我终于找到了如何做到这一点.我需要一种在请求令牌时向客户端动态添加声明的方法.

With some inquiries I finally found out how to do this. I needed a way to add claims dynamically to the client when token was requested.

为了做到这一点，我必须扩展 ICustomTokenRequestValidator，然后通过依赖注入将我的类包含在 Startup.cs 中

In order to do that I had to extend ICustomTokenRequestValidator and then include my class in Startup.cs thorough dependency injection

public class DefaultClientClaimsAdder : ICustomTokenRequestValidator
{
    public Task ValidateAsync(CustomTokenRequestValidationContext context)
    {
        context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
        context.Result.ValidatedRequest.ClientClaims.Add(new Claim("testtoken","testbody"))

        return Task.FromResult(0);
    }
}

在 Startup.cs 中配置服务

Configure services in Startup.cs

 services.AddTransient<ICustomTokenRequestValidator, DefaultClientClaimsAdder>();

这篇关于IdentityServer4:为 Client_Credential Granttype 向客户端主体添加自定义默认声明的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！