WebAPI 使用 OIDC 身份验证处理程序为用户声明进行额外的访问
[英]WebAPI making an extra trip for user claims using OIDC authentication handler
问题描述
My Current Setup is:
我当前的设置是:
I have an Identity server built using Duenede.IdentityServer package running at port 7025.
我有一个使用 Duenede.IdentityServer package 在端口 7025 运行的身份服务器。I have a WebApi which is Do.net 6 based and below is its OIDC configuration.
我有一个基于 Do.net 6 的 WebApi,下面是它的 OIDC 配置。AddOpenIdConnect("oidc", o => { JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); o.SaveTokens = true; o.GetClaimsFromUserInfoEndpoint = true; o.RequireHttpsMetadata = false; o.ResponseType = "code"; o.Authority = "https://localhost:7025/"; o.ClientId = "some clientid"; o.ClientSecret = "some secret"; o.Scope.Clear(); o.Scope.Add("openid"); o.Scope.Add("profile"); o.Scope.Add("do.netapi"); o.NonceCookie.SameSite = SameSiteMode.Unspecified; o.CorrelationCookie.SameSite = SameSiteMode.Unspecified; o.ClaimActions.MapUniqueJsonKey("role", "role"); o.ClaimActions.MapUniqueJsonKey("email", "email"); });
Now when web api request the token from the identityserver (OIDC is the challenge scheme and i have a cookie scheme set as default authentication scheme) it gets both id_token and access_token(verified using await HttpContext.GetTokenAsync("access_token"); await HttpContext.GetTokenAsync("id_token"); ).现在,当 web api 从身份服务器请求令牌时(OIDC 是挑战方案,我将 cookie 方案设置为默认身份验证方案),它同时获得 id_token 和 access_token(使用await HttpContext.GetTokenAsync("access_token"); await HttpContext.GetTokenAsync("id_token"); )。 I can also find user claims in HttpContext.User.FindFirst("some claim");我还可以在HttpContext.User.FindFirst("some claim");中找到用户声明
But i have noticed that there is an extra call to the identity server from web api for the userinfo.但我注意到用户信息从 web api 对身份服务器进行了额外的调用。 I observed that it may be because of o.GetClaimsFromUserInfoEndpoint = true;我观察到可能是因为o.GetClaimsFromUserInfoEndpoint = true; when i omitted this line i found that user claims are not set, even though i am still getting both id and access token.当我省略此行时,我发现未设置用户声明,即使我仍然获得 ID 和访问令牌。
So my understanding is the OIDC client of do.net is using userinfo endpoint to fetch the user claims.所以我的理解是 do.net 的 OIDC 客户端正在使用 userinfo 端点来获取用户声明。 But my question is if i am already receiving the access_token why there is an extra call for the userinfo.但我的问题是,如果我已经收到 access_token,为什么还要额外调用 userinfo。 Can this extra call be prevented?可以阻止这个额外的调用吗?
is there any way so that i receive id_token at first and access_token is then fetched as it is doing now so that same information is not sent twice?有什么办法可以让我首先收到 id_token,然后像现在一样获取 access_token,这样相同的信息就不会发送两次?
1 个解决方案
解决方案1
1 已采纳 2022-05-10 08:53:37
First, you can set this client config in IdentityServer to always include the user claims in the ID token首先,您可以在 IdentityServer 中设置此客户端配置,以始终在 ID 令牌中包含用户声明
AlwaysIncludeUserClaimsInIdToken AlwaysIncludeUserClaimsInIdToken
When requesting both an id token and access token, should the user claims always be added to the id token instead of requiring the client to use the userinfo endpoint.
The reason for not including it in the ID-token is that increases the size of the id-token and if you store the tokens in the asp.net session cookie, it also can become pretty big.不将其包含在 ID 令牌中的原因是增加了 id 令牌的大小,如果您将令牌存储在 asp.net session cookie 中,它也会变得相当大。
I wouldn't worry about the extra request that happens when the user authenticates.我不会担心用户验证时发生的额外请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.