如何添加要包含在令牌中的其他声明?
一旦API收到持有者令牌,User.Identity对象就会填充以下声明。
[
{
"key": "nbf",
"value": "1484614344"
},
{
"key": "exp",
"value": "1484615244"
},
{
"key": "iss",
"value": "http://localhost:85"
},
{
"key": "aud",
"value": "http://localhost:85/resources"
},
{
"key": "aud",
"value": "WebAPI"
},
{
"key": "client_id",
"value": "MyClient"
},
{
"key": "sub",
"value": "d74c815a-7ed3-4671-b4e4-faceb0854bf6"
},
{
"key": "auth_time",
"value": "1484611732"
},
{
"key": "idp",
"value": "local"
},
{
"key": "role",
"value": "AccountsManager"
},
{
"key": "scope",
"value": "openid"
},
{
"key": "scope",
"value": "profile"
},
{
"key": "scope",
"value": "roles"
},
{
"key": "scope",
"value": "WebAPI"
},
{
"key": "scope",
"value": "offline_access"
},
{
"key": "amr",
"value": "pwd"
}
]
我想要其他声明,例如username, email, legacySystemUserId等。这些字段已存在于AspNetUsers表中(并且不会重复存在于AspNetUserClaims表中)并且可在ASP中使用我的ApplicationUser对象中的.Net Core应用程序。
我希望它们包含在使用用户名和密码进行身份验证后返回的访问令牌中。想要在我的WebAPI应用程序中使用它,该应用程序无法访问身份服务器数据库,并且其自己的数据库根据用户的电子邮件地址而不是UserId(这是ASP中生成的guid)存储数据.NET身份并作为SUB声明收到。)
答案 0 :(得分:19)
我几个小时以来一直在打这个问题,最后拼凑了解决方案。这个article是一个很大的帮助,但总结和分享我的实现:
为了获取分配给用户的声明并将其附加到访问令牌,您需要在身份服务器上实现两个接口:IResourceOwnerPasswordValidator和IProfileService。以下是我对这两个类的实现,并且是粗略的草稿,但它们都有效。
**确保此时获得最新版本的IdentityServer4 - 1.0.2。
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
private readonly UserManager<ApplicationUser> _userManager;
public ResourceOwnerPasswordValidator(UserManager<ApplicationUser> userManager)
{
_userManager = userManager;
}
public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var userTask = _userManager.FindByNameAsync(context.UserName);
var user = userTask.Result;
context.Result = new GrantValidationResult(user.Id, "password", null, "local", null);
return Task.FromResult(context.Result);
}
}
和
public class AspNetIdentityProfileService : IProfileService
{
private readonly UserManager<ApplicationUser> _userManager;
public AspNetIdentityProfileService(UserManager<ApplicationUser> userManager)
{
_userManager = userManager;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
if (subject == null) throw new ArgumentNullException(nameof(context.Subject));
var subjectId = subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(subjectId);
if (user == null)
throw new ArgumentException("Invalid subject identifier");
var claims = await GetClaimsFromUser(user);
var siteIdClaim = claims.SingleOrDefault(x => x.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress");
context.IssuedClaims.Add(new Claim(JwtClaimTypes.Email, user.Email));
context.IssuedClaims.Add(new Claim("siteid", siteIdClaim.Value));
context.IssuedClaims.Add(new Claim(JwtClaimTypes.Role, "User"));
var roleClaims = claims.Where(x => x.Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
foreach (var roleClaim in roleClaims)
{
context.IssuedClaims.Add(new Claim(JwtClaimTypes.Role, roleClaim.Value));
}
}
public async Task IsActiveAsync(IsActiveContext context)
{
var subject = context.Subject;
if (subject == null) throw new ArgumentNullException(nameof(context.Subject));
var subjectId = subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(subjectId);
context.IsActive = false;
if (user != null)
{
if (_userManager.SupportsUserSecurityStamp)
{
var security_stamp = subject.Claims.Where(c => c.Type == "security_stamp").Select(c => c.Value).SingleOrDefault();
if (security_stamp != null)
{
var db_security_stamp = await _userManager.GetSecurityStampAsync(user);
if (db_security_stamp != security_stamp)
return;
}
}
context.IsActive =
!user.LockoutEnabled ||
!user.LockoutEnd.HasValue ||
user.LockoutEnd <= DateTime.Now;
}
}
private async Task<IEnumerable<Claim>> GetClaimsFromUser(ApplicationUser user)
{
var claims = new List<Claim>
{
new Claim(JwtClaimTypes.Subject, user.Id),
new Claim(JwtClaimTypes.PreferredUserName, user.UserName)
};
if (_userManager.SupportsUserEmail)
{
claims.AddRange(new[]
{
new Claim(JwtClaimTypes.Email, user.Email),
new Claim(JwtClaimTypes.EmailVerified, user.EmailConfirmed ? "true" : "false", ClaimValueTypes.Boolean)
});
}
if (_userManager.SupportsUserPhoneNumber && !string.IsNullOrWhiteSpace(user.PhoneNumber))
{
claims.AddRange(new[]
{
new Claim(JwtClaimTypes.PhoneNumber, user.PhoneNumber),
new Claim(JwtClaimTypes.PhoneNumberVerified, user.PhoneNumberConfirmed ? "true" : "false", ClaimValueTypes.Boolean)
});
}
if (_userManager.SupportsUserClaim)
{
claims.AddRange(await _userManager.GetClaimsAsync(user));
}
if (_userManager.SupportsUserRole)
{
var roles = await _userManager.GetRolesAsync(user);
claims.AddRange(roles.Select(role => new Claim(JwtClaimTypes.Role, role)));
}
return claims;
}
}
一旦有了这些,就需要将它们添加到startup.cs中的服务中:
services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
services.AddTransient<IProfileService, AspNetIdentityProfileService>();
以下是我的配置的快速浏览:
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId()
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource
{
Name = "api1",
Description = "My Api",
Scopes =
{
new Scope()
{
Name = "api1",
DisplayName = "Full access to Api"
}
}
}
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "apiClient",
ClientName = "Api Angular2 Client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes =
{
"api1"
}
}
};
}
之后,从客户端调用身份服务器:
var discoTask = DiscoveryClient.GetAsync("http://localhost:5000");
var disco = discoTask.Result;
var tokenClient = new TokenClient(disco.TokenEndpoint, "apiClient", "secret");
var tokenResponseTask = tokenClient.RequestResourceOwnerPasswordAsync("user@domain.com", "my-password", "api1");
var tokenResponse = tokenResponseTask.Result;
var accessToken = tokenResponse.AccessToken;
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
return;
}
在jwt.io上检查令牌并查看结果......