Identity Server:在MVC客户端中使用混合流向ClaimPrincipal添加声明

时间:2018-06-11 10:52:59

标签: .net .net-core identityserver4

我正在设置身份服务器,并且无法理解为什么我无法从我的MVC网站访问新添加的声明。

我正在使用快速启动示例no 5:(Link on github)在身份服务器中进行以下更改:

public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Profile(),
            **new IdentityResource
            {
                Name = JwtClaimTypes.Role,
                DisplayName = JwtClaimTypes.Role,
                UserClaims = { JwtClaimTypes.Role }
            }**
        };
    }

public static IEnumerable<Client> GetClients()
    {
        // client credentials client
        return new List<Client>
        {
            new Client
            {
                ClientId = "mvc",
                ClientName = "MVC Client",
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                ClientSecrets = 
                {
                    new Secret("secret".Sha256())
                },

                RedirectUris = { "http://localhost:5002/signin-oidc" },
                PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },

                AllowedScopes = 
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "api1",
                    **JwtClaimTypes.Role**
                },
                AllowOfflineAccess = true
            }
        };
    }

public static List<TestUser> GetUsers()
    {
        return new List<TestUser>
        {
            new TestUser
            {
                SubjectId = "1",
                Username = "alice",
                Password = "password",

                Claims = new List<Claim>
                {
                    new Claim("name", "Alice"),
                    new Claim("website", "https://alice.com"),
                    **new Claim(JwtClaimTypes.Role, "Admin")**
                }
            }
        };
    }

并在mvc项目中进行以下更改

.AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ClientId = "mvc";
                options.ClientSecret = "secret";
                options.ResponseType = "code id_token";

                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;

                options.Scope.Add("api1");
                options.Scope.Add("offline_access");
                **options.Scope.Add(JwtClaimTypes.Role);**
            });

然而,我没有在MVC应用程序中对ClaimsPrincipal的声明中看到角色声明。我确信有一些东西我不见了。我可以将声明添加到我的accessstoken并在那里找到它。我还试图实现一个ProfileService来在那里添加声明,但在登录后仍然无法在ClaimsPrincipal中找到它。请赐教我=)

我的个人资料服务:

 public Task GetProfileDataAsync(ProfileDataRequestContext context)
        {
            var user = Config.GetUsers().First();
            var claims = new List<Claim>
            {
                new Claim(JwtClaimTypes.Role, "Admin"),
            };

            context.IssuedClaims.AddRange(claims);

            return Task.FromResult(0);
        }

1 个答案:

答案 0 :(得分:0)

好的,所以我在这个帖子https://github.com/aspnet/Security/issues/1449

中找到了答案

简而言之:在.net core 2.0中,为避免cookie膨胀,您必须使用声明操作手动映射声明。

修复程序如下所示:

.AddOpenIdConnect("oidc", options =>
        {
            options.SignInScheme = "Cookies";

            options.Authority = "http://localhost:5000";
            options.RequireHttpsMetadata = false;

            options.ClientId = "mvc";
            options.ClientSecret = "secret";
            options.ResponseType = "code id_token";

            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("api1");
            options.Scope.Add("offline_access");
            **options.Scope.Add(JwtClaimTypes.Role);**
            **options.ClaimActions.MapJsonKey(JwtClaimTypes.Role, JwtClaimTypes.Role);**
        });