用户登录时,IdentityServer3需要角色(作为附加凭据)
[英]IdentityServer3 requiring a role when the user logs in (as additional credential)
问题描述
I have a system where if the user logs in as Joe with the role "Readonly" then he will be granted access only to read things (fairly obviously) however if he logs in as Joe with the role "Administrator" then he will have access to do administrative functions. 
我有一个系统,如果用户以“只读”角色以Joe身份登录,那么他将仅被授予读取内容的权限(显然),但是如果他以“角色” Administrator身份以Joe身份登录,则他将具有访问权限履行行政职能。 However I want him to have to relogin if he wishes to change from the Readonly role to the Administrator role so that he could potentially leave his account logged in as Readonly on a display screen or something without fear of someone hijacking his Administrator priviledges. 但是,如果他希望从“只读”角色更改为“管理员”角色,则我希望他必须重新登录,以便他可以潜在地在显示屏或其他内容上以“只读”身份登录帐户,而不必担心有人劫持了他的管理员权限。
Now I also need to be able to log in a Web client via an implicit grant or another server via a code grant and have that service be able to use the same roles as well (while still requiring Joe to log in as the particular role if he isn't already authenticated.) 现在,我还需要能够通过隐式授权登录Web客户端,或者通过代码授权登录另一台服务器,并使该服务也能够使用相同的角色(如果仍然需要Joe以特定角色登录,他尚未通过身份验证。)
Now I have been trying to do this with IdentityServer3 but I cant seem to get the role information to be part of the authentication for the user, I tried adding an acr_value of role:ReadOnly to the token request (which then turns into an authentication request if the user is not logged in) but if they log in with the acr_value of ReadOnly and then come back to log in with the acr_value of Adminstrator it just lets them on in because they are already authenticated as the user. 现在,我一直在尝试使用IdentityServer3进行此操作,但似乎无法使角色信息成为用户身份验证的一部分,因此我尝试在令牌请求中添加一个角色的acr_value:ReadOnly(然后变成身份验证请求) (如果用户未登录),但是如果他们使用ReadOnly的acr_value登录,然后再次使用Adminstrator的acr_value登录,则由于他们已经通过用户身份验证,因此只能让他们登录。
Any tips on what I should be using instead of what I am doing or how I might be completely off base in this OAuth2/OpenID Connect world? 关于我应该使用什么代替我正在做的事情的任何提示,或者在这个OAuth2 / OpenID Connect世界中我可能会完全脱离基础吗?
1 个解决方案
解决方案1
1 已采纳 2015-09-28 04:48:48
I finally figured it out so for others who might want to do the same thing here is what I did. 我终于想通了,所以对于其他可能想在这里做同样事情的人来说,我就是这样做的。
First you have build a custom UserService that looks in the acr_values for extra information. 首先,您构建了一个自定义UserService,该服务在acr_values中查找有关其他信息。 Then create a claim for that extra information in the AuthenticateResult. 然后在AuthenticateResult中为该额外信息创建声明。 Second you have to override the ClaimProvider to include your custom claim set in step one in the tokens generated. 其次,您必须重写ClaimProvider才能在第一步生成的令牌中包含您的自定义声明集。 Next you need a CustomRequestValidator in order to check if a new acr_value is being set compared to the one you have stored in token being currently used. 接下来,您需要一个CustomRequestValidator,以检查是否设置了新的acr_value,而不是与当前使用的令牌中存储的acr_value相比。 If it has changed and you want to force the user to reauthenticate you can set 'request.PromptMode = "login";' 如果已更改,并且您想强制用户重新认证,则可以设置“ request.PromptMode =“ login”;“ And that is it, using that set of steps I can now authenticate a user using 3 values (username, password, and role) and if the role requested changes I can require them to reauthenticate. 就是这样,通过这一系列步骤,我现在可以使用3个值(用户名,密码和角色)对用户进行身份验证,如果角色请求更改,我可以要求他们重新进行身份验证。
Works swimingly. 畅游作品。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.