在IdentityServer Response对象中添加角色

时间:2017-03-09 11:14:23

标签: asp.net-web-api claims-based-identity identityserver3 user-roles authorize-attribute

我正在使用身份服务器3.只有当用户具有以非授权方式返回的权限时才从IdentityServer3获取承载令牌。

AccessToken的解码版本是

{
  "iss": "https://localhost:1234/core",
  "aud": "https://localhost:1234/core/resources",
  "exp": 1489060441,
  "nbf": 1489056841,
  "client_id": "app1",
  "scope": [
    "openid",
    "profile",
    "email",
    "roles",
    "app1"
  ],
  "sub": "93f7aab4-5469-4c85-8e73-5dcd859ed2a8",
  "auth_time": 1489056776,
  "idp": "idsrv",
  "amr": [
    "password"
  ]
}

我的期望是

{
  "iss": "https://localhost:1234/core",
  "aud": "https://localhost:1234/core/resources",
  "exp": 1489060441,
  "nbf": 1489056841,
  "client_id": "app1",
  "scope": [
    "openid",
    "profile",
    "email",
    "roles",
    "app1"
  ],
  "roles": [
    "Admin"
  ],
  "sub": "93f7aab4-5469-4c85-8e73-5dcd859ed2a8",
  "auth_time": 1489056776,
  "idp": "idsrv",
  "amr": [
    "password"
  ]
}

客户端:

new Client
            {
                ClientId = @"APP1",
                ClientName = @"APP Implicit Client",
                Enabled = true,
                Flow = Flows.Implicit,
                RequireConsent = true,
                AllowRememberConsent = true,
                RedirectUris = new List<string> {"http://localhost:5775/callback/"},
                PostLogoutRedirectUris = new List<string> {"http://localhost:5775/logout"},
                AllowedCorsOrigins = new List<string>{ "http://localhost:5775/" },
                AllowedScopes =
                    new List<string>
                    {
                        Constants.StandardScopes.OpenId,
                        Constants.StandardScopes.Profile,
                        Constants.StandardScopes.Email,
                        Constants.StandardScopes.Roles,
                        "app1"
                    },
                AccessTokenType = AccessTokenType.Jwt
            }

用户:

new InMemoryUser
            {
                Username = "User1",
                Password = "Password123!",
                Subject = "1",
                Claims = new List<Claim>
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Bala"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Balamanigandan"),
                    new Claim(Constants.ClaimTypes.Email, "balamanigandan.b@gmail.com"),
                    new Claim(Constants.ClaimTypes.Role, "Admin")
                }
            }

我的WebAPI有一个带有以下装饰[Authorize(Roles = "Admin")]的方法,它需要角色“管理员”的承载令牌

请帮助我如何在此令牌中添加角色以访问WebAPI中的[Authorize(Roles = "Admin")]方法。

1 个答案:

答案 0 :(得分:0)

尝试设置名为“Roles”的Scope和ScopeClaim名为“Admin”,如果你想在“access_token”中创建ScopeTypeas“资源”,我发现你已经声称用户声称“角色”改为“角色”< / p>

示例范围

 public static Scope Roles
    {
        get
        {
            return new Scope
            {
                Name = "Roles",
                Type = ScopeType.Resource,
                Emphasize = true,
                IncludeAllClaimsForUser = true,
                Claims = new List<ScopeClaim> 
                {
                    new ScopeClaim("Admin",true)
                }
            };
        }
    }
相关问题
最新问题