IdentityServer4:如何为 Google 用户设置角色?
[英]IdentityServer4: How to set a role for Google user?
问题描述
I have 3 applications:
我有 3 个应用程序:
- An IdentityServer4 API which provides Google authentication and also provides an access token to authorize the resource API. IdentityServer4 API 提供 Google 身份验证并提供访问令牌以授权资源 API。
- A simple Resource API which provides some data from DB.一个简单的资源 API,它提供了一些来自 DB 的数据。
- A simple Client in React which have 4 buttons: React 中的一个简单客户端,它有 4 个按钮:
- Login, for Google auth登录,用于 Google 身份验证
- Logout登出
- Get data - a simple request with the access token to the Resource API and gets the data from Db获取数据 - 使用访问令牌对资源 API 的简单请求并从 Db 获取数据
- Get user data - returns user profile and token (for debug purpose)获取用户数据 - 返回用户配置文件和令牌(用于调试目的)
- Login, for Google auth
I didn't put any sample code because my problem is not code related, it's knowledge that I'm missing and I ask for guidance.我没有放任何示例代码,因为我的问题与代码无关,我知道我错过了,我寻求指导。
The workflow is working just fine: the user press the Login button, it is redirected to IdentityServer4 API for Google Auth.工作流程运行良好:用户按下登录按钮,它被重定向到 IdentityServer4 API 以进行 Google 身份验证。 From there it is redirected to a Callback Page from the Client and from there to the Index page.从那里它被重定向到客户端的回调页面,然后从那里重定向到索引页面。 I receive the user data and the token, I can request data from the Resource API and it's working.我收到用户数据和令牌,我可以从资源 API 请求数据并且它正在工作。
My problem is: How do I give a Role to the Google Users?我的问题是:如何为 Google 用户赋予角色? I don't have users saved in DB.我没有用户保存在数据库中。 I want three types of Users: SuperAdmin, Admin, Viewer and each of these roles have limited Endpoints which can access.我想要三种类型的用户:超级管理员、管理员、查看者,并且这些角色中的每一个都有可以访问的有限端点。
For limiting their access I saw that I can use Claims-based authorization or Role-based authorization .为了限制他们的访问,我看到我可以使用基于声明的授权或基于角色的授权。
So, my question is how ca I give a Google User who wants to login in my app, a specific Claim/Role?所以,我的问题是如何为想要登录我的应用的 Google 用户提供特定的声明/角色? What is the workflow?工作流程是什么? I must save it first in DB?我必须先将它保存在数据库中吗? Or there exists a service from Google where I can add an email address and select a Role for that address?或者有一个来自谷歌的服务,我可以添加一个 email 地址和 select 为该地址添加一个角色?
Thank you very much !非常感谢 !
1 个解决方案
解决方案1
1 2021-12-21 10:39:11
After you get the response from Google in your callback you can handle the user and do what ever you want to do with it.在您的回调中收到 Google 的响应后,您可以处理用户并做任何您想做的事情。 Below are the some typical tasks that you can do in callback that I took from documentation page of identityserver4 link :以下是我从 identityserver4 链接的文档页面获取的回调中可以执行的一些典型任务:
Handling the callback and signing in the user处理回调并登录用户
On the callback page your typical tasks are:在回调页面上,您的典型任务是:
- inspect the identity returned by the external provider.检查外部提供者返回的身份。
- make a decision how you want to deal with that user.决定如何与该用户打交道。 This might be different based on the fact if this is a new user or a returning user.这可能会有所不同,具体取决于这是新用户还是老用户。
- new users might need additional steps and UI before they are allowed in.新用户在被允许进入之前可能需要额外的步骤和 UI。
- probably create a new internal user account that is linked to the external provider.可能会创建一个链接到外部提供商的新内部用户帐户。
- store the external claims that you want to keep.存储您要保留的外部声明。
- delete the temporary cookie删除临时cookie
- sign-in the user登录用户
What I would do is creating an new internal user account that is linked to the external provider and add a role to that user.我要做的是创建一个新的内部用户帐户,该帐户链接到外部提供商并向该用户添加角色。
If you don't want to save users in db, you can add an extra claim to user in callback method and use that claim in token.如果您不想将用户保存在数据库中,您可以在回调方法中向用户添加额外的声明,并在令牌中使用该声明。 and i think this link will help with that.我认为这个链接将对此有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.