我无法让IdentityServer在资源范围内返回任何声明。我将资源范围定义为:
private static Scope Roles
{
get
{
return new Scope
{
Name = "roles",
DisplayName = "Roles",
Type = ScopeType.Identity,
Claims = new List<ScopeClaim>
{
new ScopeClaim(SecurityContants.ClaimTypes.Role)
}
};
}
}
private static Scope Api
{
get
{
return new Scope
{
Name = "api",
DisplayName = "Api",
IncludeAllClaimsForUser = true,
//i've also tried adding the claim directly
Type = ScopeType.Resource,
Emphasize = false
};
}
}
然后他们被添加到收藏中并递回。 在我的API Startup.cs中,我将owin配置为:
public void Configuration (IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseIdentityServerBearerTokenAuthentication(
new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://localhost/security.tokenserver.site",
RequiredScopes = new[] { "api", "roles" },
RoleClaimType = "roles"
});
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
app.UseWebApi(config);
}
}
我的API端点很简单:
public IEnumerable<string> Get()
{
var user = User as ClaimsPrincipal;
var claims = new List<string>();
foreach (var item in user.Claims)
{
claims.Add(item.Value);
}
return claims;
}
在验证后从我的UI调用时的输出是:
[ "customer_svc", "api", "https://idsrv3/embedded", "https://idsrv3/embedded/resources", "1448048492", "1448044892" ]
因此,UI的初始登录工作(我看到角色声称在那里),检索令牌工作,并将令牌交给API工作。但是,在将令牌交还给API之后,我无法看到用户的角色。
我错过了什么?