如何获取隐式令牌的id_token以传递id_token提示以注销隐式流,还是有其他方式?我有终点/连接/结束? id_token_hint =
我不确定如何从implict流程中获取id_token,我得到的是access_token和expiration。 IdSvr中有设置吗?
答案 0 :(得分:1)
这有三个组成部分。
首先确保在Startup.cs中配置OIDC身份验证时从Identity Server请求id_token(如上面的@leastprivilege所述):
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:44301/",
...
ResponseType = "id_token token", //(Here's where we request id_token!)
其次,使用OIDC通知&验证安全令牌后,将id_token添加到用户的声明中:
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var nid = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
Constants.ClaimTypes.GivenName,
Constants.ClaimTypes.Role);
// get userinfo data
var userInfoClient = new UserInfoClient(
new Uri(n.Options.Authority + "/" + Constants.RoutePaths.Oidc.UserInfo),
n.ProtocolMessage.AccessToken);
var userInfo = await userInfoClient.GetAsync();
userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));
// keep the id_token for logout (**This bit**)
nid.AddClaim(new Claim(Constants.TokenTypes.IdentityToken, n.ProtocolMessage.IdToken));
n.AuthenticationTicket = new AuthenticationTicket(
nid,
n.AuthenticationTicket.Properties);
},
最后,在重定向注销(也是通知事件)上,将id_token添加到协议消息中:
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Constants.TokenTypes.IdentityToken);
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
您还需要确保在Identity Server中的客户端上设置PostLogoutRedirectUris:
new Client
{
Enabled = true,
ClientName = "(MVC) Web App",
ClientId = "mvc",
Flow = Flows.Implicit,
PostLogoutRedirectUris = new List<string>
{
"https://localhost:44300/" //(** The client's Url**)
}
}
这将确保您在注销时为用户提供返回授权客户端的选项:)
所有这些都与https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html
处的MVC示例非常相似比你要求的要多,但希望这有助于其他任何试图解决问题的人:)
答案 1 :(得分:0)
要获得id_token,您必须要求它。使用response_type=id_token token
答案 2 :(得分:0)