WSO2 API Manager - 将客户端角色添加到密码授予 JWT [英] WSO2 API Manager - Add client roles to password grant JWT
问题描述
如何将用户角色添加到通过 OAuth2 密码授予生成的 JWT,如 这里:
how do I add user roles to JWT generated through OAuth2 Password Grant as described here:
我试过 this 方法,但它仅向传递给后端的 JWT 添加自定义声明,但 JWT 中没有任何内容用于验证客户端.
I tried this approach but it adds custom claims only to JWT passed to backend but there is nothing in JWT used to authenticate clients.
我要做的是向 Angular 应用程序添加一个登录页面,并在成功进行身份验证时调用 https://[APIM]/token
以获取令牌.角色对于根据用户角色呈现正确的菜单很重要.
What I'm trying to do is to add a login page to Angular application and call https://[APIM]/token
to get token when successful authentication occurs. Roles are important to render correct menus based on user roles.
提前致谢,
推荐答案
您需要请求具有 openid 范围的令牌,以检索额外的用户信息作为 JWT 令牌的声明.你可以参考 https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/了解更多详情.
You need to request the token with openid scope to retrieve the additional user information as claims of the JWT token. You can refer https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
例如,如果您想在生成的 JWT 中获取用户角色,您可以在 下添加
.参考 https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping了解更多详情.http://wso2.org/claims/role
声明作为请求的声明从 carbon 控制台向您正在使用的服务提供商声明配置
For instance, if you want to get the user roles in the generated JWT, you can add the http://wso2.org/claims/role
claim as a requested claim under Claim Configuration
to the service provider you are using from the carbon console. Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
那么在调用token端点的时候,需要加上openid作用域.
Then when you are invoking the token endpoint, you need to add the openid scope.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
生成的 JWT 令牌负载将是这样的,
The generated JWT token payload will be something like this,
{
"sub": "admin",
"aut": "APPLICATION_USER",
"aud": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"nbf": 1610395871,
"azp": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
"scope": "openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/admin_DefaultApplication_PRODUCTION",
"Application/apim_devportal",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1610399471,
"iat": 1610395871,
"jti": "75ddfca2-5088-435d-825a-3320efc10036"
}
希望这有帮助!
这篇关于WSO2 API Manager - 将客户端角色添加到密码授予 JWT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!