[英]Claims is empty and user is not Authenticated in HandleRequirement of AuthorizationHandlerContext with Duende identity server
[英]Custom claim not accessible in AuthorizationHandlerContext Identity server 4 JWT
我有一个将声明添加到令牌的配置文件服务
档案服务
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var claims = new List<Claim>();
var userClaims = await _userManager.GetClaimsAsync(user);
foreach (var userClaim in userClaims)
{
claims.Add(new Claim(userClaim.Type, userClaim.Value));
}
context.IssuedClaims.AddRange(claims);
}
JWT 令牌
{
"nbf": 1608909669,
"exp": 1608996069,
"iss": "https://localhost:5001",
"aud": "https://localhost:5001/resources",
"client_id": "Local",
"sub": "307f4f24-71a5-4aee-8505-f87b58a1eb2e",
"auth_time": 1608908167,
"idp": "local",
"IdentityServer": [
"Read",
"Create",
"Update",
"Delete"
],
"Product": [
"Read",
"Create",
"Update",
"Delete"
],
"jti": "87FA14C0153AD10D0E16A721720D19DB",
"sid": "C739A377659C364AA29040FEE2FB4FA2",
"iat": 1608909669,
"scope": [
"openid",
"profile",
"email"
],
"amr": [
"pwd"
]
}
只能在AuthorizationHandlerContext中获得以下声明
启动.cs
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
// base-address of your identityserver
options.Authority = configuration.GetSection("IdentityServer:OAuth:AuthorizationUrl").Value;
// name of the API resource
options.ApiName = AuthorizePolicy.apiScope;
});
app.UseAuthentication();
为什么我无法访问IdentityServer, Product
声明。 我正在使用 Identity server 4 最新版本
更新 1
在帐户 controller 的登录过程中添加以下代码
var principal = await _claimsFactory.CreateAsync(user);
var claims = principal.Claims.ToList();
var isuser = new IdentityServerUser(user.Id)
{
DisplayName = user.UserName,
AdditionalClaims = claims
};
await HttpContext.SignInAsync(isuser, props);
现在用户包含所有其他声明,但如果我删除其中一个声明 JWT 令牌被刷新,但是,用户身份仍然包含旧值,要刷新身份我需要再次显式登录用户,这是不合适的,我该如何解决这个问题?
默认情况下,自定义声明不会包含在用户中,相反,您需要手动 map 您关心的传入声明。
通常,您会添加以下内容:
public void ConfigureServices(IServiceCollection services)
{
// By default, Microsoft has some legacy claim mapping that converts
// standard JWT claims into proprietary ones. This removes those mappings.
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();
然后在 AddOpenIDConnect 选项中,设置:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
或者
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce");
相同的配置可能如下所示:
}).AddOpenIdConnect(options =>
{
options.Authority = "https://localhost:6001";
options.ClientId = "authcodeflowclient";
options.ClientSecret = "mysecret";
options.ResponseType = "code";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("employee_info");
options.ClaimActions.MapUniqueJsonKey("employment_start", "employment_start");
options.ClaimActions.MapUniqueJsonKey("seniority", "seniority");
options.ClaimActions.MapUniqueJsonKey("contractor", "contractor");
options.ClaimActions.MapUniqueJsonKey("employee", "employee");
options.ClaimActions.MapUniqueJsonKey("management", "management");
options.ClaimActions.MapUniqueJsonKey(JwtClaimTypes.Role, JwtClaimTypes.Role);
options.SaveTokens = true;
options.SignedOutRedirectUri = "/";
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
options.Prompt = "consent";
});
如果您不想处理令牌并在那里添加声明,那么另一种方法是在您的授权策略中查找其他用户详细信息。 有关更多详细信息,请参阅有关自定义授权策略的此页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.