ASP.NET Core 和 JSON Web 令牌 - 自定义声明映射
[英]ASP.NET Core and JSON Web Tokens - Custom claims mapping
问题描述
ASP.NET Core has it's own mapping to standard claims. 
ASP.NET Core 有自己的标准声明映射。 Read this and take a look at this GitHub repository阅读本文并查看此GitHub 存储库
I am using Azure AD, NET5.我正在使用 Azure AD、NET5。
The problem is that unique_name get mapped to name and if you are real lucky you will end up with two name claims.问题是 unique_name 被映射到 name ,如果你真的很幸运,你最终会得到两个 name 声明。 For me one with my full name and one with my email.对我来说,一个是我的全名,另一个是我的电子邮件。
Code for handling duplicated name claims.处理重复名称声明的代码。
string email = null;
var nameClaims = httpCtx.User
.FindAll(x => x.Type.Equals(ClaimTypes.Name))
.Where(x => x.Value.Contains("@")).ToList();
if(nameClaims.Any())
{
email = nameClaims.First().Value;
}
Code for adding auth.添加身份验证的代码。
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
options.Authority = openIdConnectOptions.Authority;
options.TokenValidationParameters.ValidIssuer = openIdConnectOptions.ValidIssuer;
options.TokenValidationParameters.ValidAudiences = openIdConnectOptions.ValidAudiences;
options.MapInboundClaims = true;
});
If you set MapInboundClaims = false then there will be now mappings and all claims will keep there names.如果您设置 MapInboundClaims = false 那么现在将有映射并且所有声明都将保留名称。 This solves my problem with duplicated name claim but also break how roles are mapped an used in ASP.NET Core.这解决了我的重复名称声明问题,但也打破了角色在 ASP.NET Core 中的映射方式。
I would like to keep the default mapping and add my own for the types I know get wrongly mapped.我想保留默认映射并为我知道被错误映射的类型添加我自己的映射。 Or remove all mappings and add the missing parts to make roles work again.或者删除所有映射并添加缺失的部分以使角色重新工作。
1 个解决方案
解决方案1
0 2021-06-24 09:11:19
This is what I ended up with.这就是我的结果。 Now claim names are not changes.现在声明名称没有变化。 Except for roles.除了角色。 I needed to add MS claim names to get roles to work in my policy mapping.我需要添加 MS 声明名称以使角色在我的策略映射中起作用。
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Logging;
namespace EmployeeTrading.Server.Extensions
{
public static partial class ServiceCollectionExtensions
{
public static IServiceCollection AddBearerAuthentication(this IServiceCollection services,
OpenIdConnectOptions openIdConnectOptions)
{
#if DEBUG
IdentityModelEventSource.ShowPII = true;
#endif
// // https://mderriey.com/2019/06/23/where-are-my-jwt-claims/
// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/a301921ff5904b2fe084c38e41c969f4b2166bcb/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
services
.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", o =>
{
o.Authority = openIdConnectOptions.Authority;
o.TokenValidationParameters.ValidIssuer = openIdConnectOptions.ValidIssuer;
o.TokenValidationParameters.ValidAudiences = openIdConnectOptions.ValidAudiences;
o.MapInboundClaims = false;
o.TokenValidationParameters.RoleClaimType = "roles";
});
return services;
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.