okta + .net web api - 如何获得经过身份验证的用户电子邮件&名称(配置文件范围数据)

时间:2018-02-14 16:01:21

标签: asp.net-web-api okta okta-api

我的web api服务器实现了与okta指南相同的代码:
https://developer.okta.com/quickstart/#/widget/dotnet/aspnet4

public void Configuration(IAppBuilder app)
{
    // Configure JWT Bearer middleware
    // with an OpenID Connect Authority

    var authority = "https://{yourOktaDomain}.com/oauth2/default";

    var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
        authority + "/.well-known/openid-configuration",
        new OpenIdConnectConfigurationRetriever(),
        new HttpDocumentRetriever());

    app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
    {
        AuthenticationMode = AuthenticationMode.Active,
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidAudience = "api://default",
            ValidIssuer = authority,
            IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
            {
                var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
                return discoveryDocument.SigningKeys;
            }
        }
    });
}

身份验证有效,但我如何从“个人资料”范围获得经过验证的用户电子邮件和名称
我看到的是: enter image description here

谢谢!

1 个答案:

答案 0 :(得分:0)

好吧,经过几个小时的浪费,解决方案是这些变化:

  • 发送id_token而不是session_token
  • ValidAudience = "api://default"ValidAudience = "your-application-client-id"
  • ValidateAudience = true