使用 Microsoft.AspNetCore.ApiAuthorization.IdentityServer 时,如何在 JWT 和用户主体中添加自定义用户声明
[英]How do I add custom user claims in JWT and user principal when using Microsoft.AspNetCore.ApiAuthorization.IdentityServer
问题描述
I'm using the new React template, which is part of the .NET Core 3 release.
我正在使用新的 React 模板,它是 .NET Core 3 版本的一部分。 This template uses Microsoft.AspNetCore.ApiAuthorization.IdentityServer to integrate ASP.NET Core Identity, IdentityServer and React for user registration, authentication and authorization.此模板使用Microsoft.AspNetCore.ApiAuthorization.IdentityServer集成 ASP.NET Core Identity、IdentityServer 和 React 用于用户注册、身份验证和授权。
This works really well for simple scenarios, but I find the documentation for a bit more complex scenarios confusing.这对于简单的场景非常有效,但我发现对于更复杂的场景的文档令人困惑。 This is mainly because there are a lot of different cogs now, and it's hard to figure out where to look.这主要是因为现在有很多不同的齿轮,很难弄清楚在哪里看。
What I want to do is the following: I want to add a custom claim to the user (say, IsAdmin: true ).我想做的是以下内容:我想向用户添加自定义声明(例如IsAdmin: true )。 This claim should be available in the .NET Core HttpContext in the ApiController (as part of the user's claim principal) for auth purposes, and it should be somewhere that React can read this claim (this would probably be the identitytoken/jwt), to provide a good user experience.此声明应在 ApiController 中的 .NET Core HttpContext 中可用(作为用户声明主体的一部分)用于身份验证目的,并且它应该是 React 可以读取此声明的地方(这可能是 identitytoken/jwt),以提供良好的用户体验。
What would be a good way to accomplish this?什么是实现这一目标的好方法?
2 个解决方案
解决方案1
3 2019-11-08 16:35:23
I think you should check ApiResource configuration.我认为您应该检查ApiResource配置。 Whatever claims you add in UserClaims property of ApiResource configuration, those claims will appear in access token.无论您在ApiResource配置的UserClaims属性中添加什么声明,这些声明都将出现在访问令牌中。 eg例如
public IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1")
{
UserClaims = new[] { "CustomClaim1", "CustomClaim2"},
},
}
}
In above code, access code will contain CustomClaim1 and CustomClaim2 .在上面的代码中,访问代码将包含CustomClaim1和CustomClaim2 。 Hence if you don't mention them, they won't appear in access token.因此,如果您不提及它们,它们将不会出现在访问令牌中。 Hope this helps!希望这可以帮助!
解决方案2
1 2019-11-11 08:35:10
You can use IProfileService to add custom claims to JWT token:您可以使用IProfileService将自定义声明添加到 JWT 令牌:
public class MyProfileService : IProfileService
{
public MyProfileService()
{ }
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>()
{
new Claim(ClaimTypes.Role, "Admin")
};
context.IssuedClaims.AddRange(claims);
return Task.CompletedTask;
}
public Task IsActiveAsync(IsActiveContext context)
{
// await base.IsActiveAsync(context);
return Task.CompletedTask;
}
}
Concern about the length of ID Token, by default the claims won't include in ID token, instead it will get claims from OIDC's userinfo endpoint.关注 ID Token 的长度,默认情况下,声明不会包含在 ID 令牌中,而是会从 OIDC 的 userinfo 端点获取声明。 You can:你可以:
Get the claims from
user.profilein React template, it will automatically send request to userinfo endpoint with id token.从 React 模板中的user.profile获取声明,它会自动向带有 id 令牌的 userinfo 端点发送请求。Or you can set
AlwaysIncludeUserClaimsInIdTokento true in client options when registering client in Identity Server 4, but i'm afraid you need to not useApiAuthorizationservice, the full power of IdentityServer is still available to customize authentication to suit your needs.或者您可以在 Identity Server 4 中注册客户端时在客户端选项中将AlwaysIncludeUserClaimsInIdToken设置为 true,但恐怕您不需要使用ApiAuthorization服务,IdentityServer 的全部功能仍然可以自定义身份验证以满足您的需求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.