当我使用oidc进行身份验证时,我会收到很多索赔。如果我不添加我的自定义IProfileService,则所有这些声明都将在身份服务器发出的id_token中传递。如果我提供自己的ProfileService,则对Subject的声明列表是从idp返回的内容的子集。有什么办法可以在个人资料服务中获取完整列表?
这是Startup.cs中的相关信息:
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
}).AddProfileService<ProfileService>();
services.AddAuthentication()
.AddOpenIdConnect("Name", "Name", o =>
{
o.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
o.SignOutScheme = IdentityServerConstants.SignoutScheme;
o.Authority = "https://sub.domain.com/adfs/";
o.ClientId = "00000000-0000-0000-0000-000000000000";
o.ClientSecret = "secret";
o.ResponseType = "id_token";
o.SaveTokens = true;
o.CallbackPath = "/signin-adfs";
o.SignedOutCallbackPath = "/signout-callback-adfs";
o.RemoteSignOutPath = "/signout-adfs";
o.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
});
和我的ProfileService:
public class ProfileService : IProfileService
{
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var objectGuidClaim = context.Subject.Claims.FirstOrDefault(x => x.Type == "ObjectGUID");
if (objectGuidClaim != null)
{
var userId = new Guid(Convert.FromBase64String(objectGuidClaim.Value));
context.IssuedClaims.Add(new Claim("UserId", userId.ToString()));
}
return Task.CompletedTask;
}
public Task IsActiveAsync(IsActiveContext context)
{
context.IsActive = true;
return Task.CompletedTask;
}
}
因此,在我的情况下,如果没有ProfileService,则会传递ObjectGUID
,但是使用ProfileService时,它在context.Subject.Claims
列表中不可用。
我的目标是从idp中获取“ ObjectGUID”声明,该idp是base64编码的guid,并将其转换为十六进制字符串,并将其作为身份服务器的“ UserId”声明传递。
我什至不确定这是最好的方法。我也尝试过通过ClaimActions
对其进行转换,但是我的动作从未执行(我使用了一个随机的Guid进行了测试,以确保它与转换无关):
o.ClaimActions.MapCustomJson("UserId", obj => {
return Guid.NewGuid().ToString();
});
这是更好的方法吗?为什么不执行?
答案 0 :(得分:1)
尝试:
http://schemas.company.com/identity/claims/objectguid
而不只是ObjectGUID
o.GetClaimsFromUserInfoEndpoint =
true;
和o.ClaimActions.MapUniqueJsonKey("ObjectGUID", "ObjectGUID");
或o.ClaimActions.MapUniqueJsonKey("http://schemas.company.com/identity/claims/objectguid", "ObjectGUID");
如果之前没有帮助,请尝试:
o.Events = new OpenIdConnectEvents
{
OnTicketReceived = context =>
{
var identity = context.Principal.Identity as ClaimsIdentity;
StringBuilder builder = new StringBuilder();
var claims = identity?.Claims.Select(x => $"{x.Type}:{x.Value};");
if (claims != null)
builder.AppendJoin(", ", claims);
Logger.LogInformation($"Ticket received: [Claims:{builder}]");
identity?.AddClaim(new Claim("userId", Guid.NewGuid().ToString()));
//you can embed your transformer here if you like
return Task.CompletedTask;
}};
(您可以在此处检查确切的入场票证,并保留日志以备将来使用)