IdentityServer4:为 Client_Credential Granttype 向客户端主体添加自定义默认声明 [英] IdentityServer4: Add Custom default Claim to Client Principal for Client_Credential Granttype
问题描述
我正在使用 IdentityServer4,并尝试在创建令牌时向我的 CLIENT
添加自定义默认声明.如果我使用如下所示的隐式流和 IProfileService
,这是可能的.
I am using IdentityServer4 and I am trying to add a custom default claim to my CLIENT
when the token is created. This is possible if i use the implicit flow and IProfileService
like shown below.
public class MyProfileService : IProfileService
{
public MyProfileService()
{
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>
{
new Claim("DemoClaimType", "DemoClaimValue")
};
context.IssuedClaims = claims;
return Task.FromResult(0);
}
public Task IsActiveAsync(IsActiveContext context)
{
context.IsActive = true;
return Task.FromResult(0);
}
}
在我的创业公司
services.AddIdentityServer()
.AddProfileService<MyProfileService>()
但是,这不适用于具有 client_credential 授权类型的客户端,因为它似乎 无法在客户端凭据流中请求 OpenID 范围
.事实证明,Iprofileservice 顾名思义适用于 Identity
资源,其中 OpenId 范围(如配置文件)有效.因为我无法请求具有 client_credential 授权类型的配置文件范围 GetProfileDataAsync
永远不会被调用.
However this does not work with my client with client_credential granttype since it seems cannot request OpenID scopes in client credentials flow
. It turns out Iprofileservice like the name implies works for Identity
Resources where the OpenId scopes like profile is valid. since am unable to request profile scopes with client_credential grant type GetProfileDataAsync
never gets called.
由于我只与客户合作,没有用户,我需要一种将声明注入令牌的方法,而不必像下面这样将它们添加到客户端对象中
Since am working only with clients and no users I need a way to inject claims into the token without having to add them to the client object like below
new Client
{
ClientId = "myclient",
ClientName = "My Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = {new Secret("secret".Sha256())},
AllowedScopes = new List<string> {"api"},
AllowOfflineAccess = true,
//I Don't want to do this
Claims = new List<Claim>
{
new Claim("type","value")
}
}
我不希望上述情况,因为我不希望声明成为数据库中 client_claims 的一部分.我需要根据令牌请求即时创建它.我希望我的问题现在更清楚了.
I do not want the above because i do not want the the claim to be part of the client_claims in the database. I need to create it on the fly on token request. I hope my question is clearer now.
推荐答案
通过一些询问,我终于找到了如何做到这一点.我需要一种在请求令牌时向客户端动态添加声明的方法.
With some inquiries I finally found out how to do this. I needed a way to add claims dynamically to the client when token was requested.
为了做到这一点,我必须扩展 ICustomTokenRequestValidator
,然后通过依赖注入将我的类包含在 Startup.cs 中
In order to do that I had to extend ICustomTokenRequestValidator
and then include my class in Startup.cs thorough dependency injection
public class DefaultClientClaimsAdder : ICustomTokenRequestValidator
{
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("testtoken","testbody"))
return Task.FromResult(0);
}
}
在 Startup.cs 中配置服务
Configure services in Startup.cs
services.AddTransient<ICustomTokenRequestValidator, DefaultClientClaimsAdder>();
这篇关于IdentityServer4:为 Client_Credential Granttype 向客户端主体添加自定义默认声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!