我有一个客户端可以访问2个不同资源的2个范围。每个范围都有它自己的主张。但是,我注意到两个范围的所有声明都被返回到每个资源。如何确保仅将与正确范围相关的声明返回到资源?
这是我在启动资源中所拥有的内容:
//I use IdentityServer3.AccessTokenRequest since my resource is a .net app
public void Configuration(IAppBuilder app)
{
app.UseIdentityServerBearerTokenAuthentication(new identityServerBearerTokenAuthenticationOptions
{
Authority = URLToIdentityServer,
RequiredScopes = new[] { "SomeAPI.read" } //Notice this is scope we want claims for.
});
//Some other stuff
}
以下是我在身份服务器中所拥有的内容:
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "ClientId",
ClientName = "Client Name",
ClientSecrets = new List<Secret> {new Secret("SuperSecret".Sha256())},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List<string> {"SomeAPI.read", "OtherAPI.write"}, //Notice client has access to 2 scopes from 2 resources.
Claims = claims
}
};
}
private static ICollection<Claim> claims = new List<Claim>
{
new Claim("Claim1", "Value1"), //Belongs to scope "SomeAPI.read"
new Claim("Claim2", "Value2"), //Belongs to scope "SomeAPI.read"
new Claim("Claim3", "Value3"), //Belongs to scope "OtherAPI.write"
new Claim("Claim4", "Value4"), //Belongs to scope "OtherAPI.write"
};
万一你想知道资源和资源是怎样的。声明范围:
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource
{
Name = "SomeAPI",
DisplayName = "Some API",
Description = "This is the resource which we expect 2 claims for, but get 4",
ApiSecrets = new List<Secret> {new Secret("ScopeSecret".Sha256())},
Scopes = new List<Scope>
{
new Scope("SomeAPI.read", readClaimTypes),
},
Enabled = true,
},
new ApiResource
{
Name = "OtherAPI",
DisplayName = "Other API",
Description = "Another API that also has a scope with 2 claims and we don't want to get these claims back in the resource they don't belong to",
ApiSecrets = new List<Secret> {new Secret("SomeOtherSecret".Sha256())},
Scopes = new List<Scope>
{
new Scope("OtherAPI.write", writeClaimTypes)
},
Enabled = true,
}
};
}
private static IEnumerable<string> readClaimTypes = new List<string> {"claim1", "claim2"};
private static IEnumerable<string> writeClaimTypes = new List<string> {"claim3", "claim4"};
}
使用这种配置,我希望我的资源只能获得前2个声明。但它得到了所有4.任何帮助将不胜感激。
答案 0 :(得分:1)
似乎这种行为是设计的。如果你看一下documentation:
声明:允许客户端的设置声明(将包含在 访问令牌)。
我试图改变配置,但是没有修复它。我还尝试使用ProfileService进行以下操作。 但这不是方法!
public class ProfileService : IProfileService
{
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
// DO NOT USE!!!
if (context.Caller == "ClaimsProviderAccessToken")
{
var claims = context.Client.Claims
.Where(c => context.RequestedClaimTypes.Contains(c.Type)).ToList();
// Replace the list. This overwrites the in memory collection!
// This will eventually result in an empty list for all tokens.
// The collection may not be altered!
context.Client.Claims = claims;
}
}
}
更改行为的唯一方法是dive into the code并在其中添加过滤器,而不更改集合。