目前用户首次登录我使用令牌来注册具有主题ID的新用户。我正在尝试注册他们的用户名,但我无法弄清楚如何,因为他们的电子邮件没有索赔。
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
}).AddIdentityServerAuthentication(o =>
{
o.Authority = "https://localhost:44366";
o.ApiName = "Custom Api";
o.JwtBearerEvents = new JwtBearerEvents
{
OnTokenValidated = async tokenValidationContext =>
{
var claimsIdentity = tokenValidationContext.Principal.Identity as ClaimsIdentity;
if (claimsIdentity == null)
{
return;
}
string userId = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "sub").Value;
//...
}
}
});
我注意到他们的电子邮件已包含在个人资料中。我想将电子邮件地址注册为用户名。我不想单独从令牌中获取用户名,因为用户可以使用他们自己的令牌在api中更改他们的电子邮件,我想不允许。
我的Api资源:
new ApiResource
{
Name = "myApi",
DisplayName = "my API",
Description = "my API Access",
UserClaims = new List<string> {"role"},
Scopes = new List<Scope>
{
new Scope("myApi.read"),
new Scope("myApi.write")
}
}
我的客户注册:
new Client
{
ClientId = "myClientJs",
ClientName = "JavaScript Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
AllowRememberConsent = true,
//RequireConsent = true,
AccessTokenType = AccessTokenType.Jwt,
RedirectUris = { "http://localhost:8166/" },
PostLogoutRedirectUris = { "http://localhost:8166/" },
AllowedCorsOrigins = { "http://localhost:8166" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"myAPI",
}
}
客户端配置:
this.settings = {
authority: environment.identityServerUrl,
client_id: environment.clientAuthorityId,
post_logout_redirect_uri: environment.logoutURI,
redirect_uri: environment.redirectUri,
response_type: "id_token token",
scope: "openid profile email",
automaticSilentRenew: true,
filterProtocolClaims: true,
loadUserInfo: true,
}
有没有办法可以直接与身份服务器同步我的电子邮件?如果没有,我可以直接在令牌声明中包含电子邮件,那么篡改会更难吗?
但是我想将电子邮件包含在令牌中这是可能的吗?