Question

我有一个IdentityServer4服务器设置，并且已经定义了一个客户端：

    public static IEnumerable<Client> Get()
    {
        return new List<Client> {
            new Client {
                ClientId = "oauthClient",
                ClientName = "Example Client Credentials Client Application",
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                ClientSecrets = new List<Secret> {
                    new Secret("superSecretPassword".Sha256())},
                AllowedScopes =     {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    "role",
                    "ControlCenter",
                    "CC.Send",
                },
                Claims = new List<System.Security.Claims.Claim>
                {
                    new System.Security.Claims.Claim("CEO","true"),
                    new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
                    new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
                },
                RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
                PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
            }
        };
    }

我正在使用邮递员对此进行测试，我可以在/ connect / token端点获取令牌，但是当我将该令牌传递到/ connect / introspect端点时，它将返回：

{
    "nbf": 1505422619,
    "exp": 1505426219,
    "iss": "https://localhost:44357",
    "aud": [
        "https://localhost:44357/resources",
        "ControlCenter"
    ],
    "client_id": "oauthClient",
    "client_CEO": "true",
    "client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
        "CC.Send",
        "CEO"
    ],
    "scope": "CC.Send",
    "active": true
}

这让我遇到麻烦，因为我用以下方式保护了我的终端：

        services.AddAuthorization(options =>
        {
            options.AddPolicy(
                "CanSendiSuiteProfiles",
                policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
        });

并且由于CEO＆lt;＆gt; client_CEO，它返回了一个错误403.我可以通过查找client_CEO来解决这个问题，但我更愿意了解client_如何被置于我的索赔之前。

Answer 1

这些会自动以IdentityServer4为前缀，但您可以使用PrefixClientClaims = false（客户端上的布尔属性）关闭前缀。

以下是IdentityServer4中DefaultClaimService的源代码： https://github.com/IdentityServer/IdentityServer4/blob/295026919db5bec1b0c8f36fc89e8aeb4b5a0e3f/src/IdentityServer4/Services/DefaultClaimsService.cs

if (request.Client.PrefixClientClaims)
{
    claimType = "client_" + claimType;
}

<强>更新从IdentityServer4 v.2及更高版本开始，属性bool PrefixClientClaims被属性string ClientClaimsPrefix取代，允许您配置所选的前缀。

if (request.Client.ClientClaimsPrefix.IsPresent())
{
    claimType = request.Client.ClientClaimsPrefix + claimType;
}

IdentityServer4将client_附加到声明

1 个答案: