IProfileService中的提供商声明

时间:2018-08-17 17:56:37

标签: c# asp.net-core-2.0 identityserver4 openid-connect claims-based-identity

当我使用oidc进行身份验证时,我会收到很多索赔。如果我不添加我的自定义IProfileService,则所有这些声明都将在身份服务器发出的id_token中传递。如果我提供自己的ProfileService,则对Subject的声明列表是从idp返回的内容的子集。有什么办法可以在个人资料服务中获取完整列表?

这是Startup.cs中的相关信息:

var builder = services.AddIdentityServer(options =>
{
    options.Events.RaiseErrorEvents = true;
    options.Events.RaiseInformationEvents = true;
    options.Events.RaiseFailureEvents = true;
    options.Events.RaiseSuccessEvents = true;
}).AddProfileService<ProfileService>();

services.AddAuthentication()
.AddOpenIdConnect("Name", "Name", o =>
{
    o.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    o.SignOutScheme = IdentityServerConstants.SignoutScheme;
    o.Authority = "https://sub.domain.com/adfs/";
    o.ClientId = "00000000-0000-0000-0000-000000000000";
    o.ClientSecret = "secret";
    o.ResponseType = "id_token";
    o.SaveTokens = true;
    o.CallbackPath = "/signin-adfs";
    o.SignedOutCallbackPath = "/signout-callback-adfs";
    o.RemoteSignOutPath = "/signout-adfs";
    o.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = "name",
        RoleClaimType = "role"
    };
});

和我的ProfileService:

public class ProfileService : IProfileService
{
    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var objectGuidClaim = context.Subject.Claims.FirstOrDefault(x => x.Type == "ObjectGUID");
        if (objectGuidClaim != null)
        {
            var userId = new Guid(Convert.FromBase64String(objectGuidClaim.Value));
            context.IssuedClaims.Add(new Claim("UserId", userId.ToString()));
        }
        return Task.CompletedTask;
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        context.IsActive = true;
        return Task.CompletedTask;
    }
}

因此,在我的情况下,如果没有ProfileService,则会传递ObjectGUID,但是使用ProfileService时,它在context.Subject.Claims列表中不可用。

我的目标是从idp中获取“ ObjectGUID”声明,该idp是base64编码的guid,并将其转换为十六进制字符串,并将其作为身份服务器的“ UserId”声明传递。

我什至不确定这是最好的方法。我也尝试过通过ClaimActions对其进行转换,但是我的动作从未执行(我使用了一个随机的Guid进行了测试,以确保它与转换无关):

o.ClaimActions.MapCustomJson("UserId", obj => {
    return Guid.NewGuid().ToString();
});

这是更好的方法吗?为什么不执行?

1 个答案:

答案 0 :(得分:1)

尝试:

  • 确保您的主题不包含 http://schemas.company.com/identity/claims/objectguid而不只是ObjectGUID
  • 扩展您的 OpenIdConnect配置,其中:o.GetClaimsFromUserInfoEndpoint = true;o.ClaimActions.MapUniqueJsonKey("ObjectGUID", "ObjectGUID");o.ClaimActions.MapUniqueJsonKey("http://schemas.company.com/identity/claims/objectguid", "ObjectGUID");
  • 如果之前没有帮助,请尝试:

            o.Events = new OpenIdConnectEvents
            {
                OnTicketReceived = context =>
                {
                var identity = context.Principal.Identity as ClaimsIdentity;
    
                StringBuilder builder = new StringBuilder();
                var claims = identity?.Claims.Select(x => $"{x.Type}:{x.Value};");
                if (claims != null)
                builder.AppendJoin(", ", claims);
                Logger.LogInformation($"Ticket received: [Claims:{builder}]");
                identity?.AddClaim(new Claim("userId", Guid.NewGuid().ToString()));
                //you can embed your transformer here if you like
                return Task.CompletedTask;
            }};
    

(您可以在此处检查确切的入场票证,并保留日志以备将来使用)