我有一个IdentityServer4,上面有客户,范围和资源。
当我用Authorize属性标记我的控制器时,这非常有效。
但是当我尝试使用基于角色的身份验证时,这将失败。
我正在使用Hybridflow,所有作用域都在服务器和客户端上。
在客户端,我正在将MVC5与UseOpenIdConnectAuthentication一起使用。
Server Code:
public static IEnumerable<Client> Clients()
{
return new[] {
new Client
{
ClientId = "TestWebApp_Hybrid",
ClientName = "TestWebApp",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.Hybrid,
RedirectUris = new List<string>
{
"http://localhost:57014/signin-oidc",
"http://localhost:57014",
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:57014/signout-callback-oidc",
},
AllowedScopes = new List<string> { StandardScopes.OpenId, StandardScopes.Profile, "roles"},
Enabled = true,
AccessTokenType = AccessTokenType.Jwt,
IdentityTokenLifetime = 3600,
AccessTokenLifetime = 3600
}
};
}
public static IEnumerable<IdentityResource> IdentityResources()
{
return new IdentityResource[] {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource("roles","Your roles",new List<string>{ "role"})
};
}
对于用户,我正在使用角色管理器添加角色
public async Task EnsureSeedData()
{
foreach (var user in InMemoryConfiguration.Users())
{
if (await _userManager.FindByEmailAsync(user.Username) == null)
{
// Find User and Create, removed code for brevity
await _userManager.AddClaimAsync(user, new Claim("role","Admin"));
}
}
}
在Asp.NET MVC启动文件上,我有以下代码:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "TestWebApp_Hybrid",
ClientSecret= "secret",
AuthenticationType = "oidc",
Authority = ConfigurationManager.AppSettings["Authority"],
RedirectUri = $"{ConfigurationManager.AppSettings["RedirectUri"]}/signin-oidc",
Scope = "openid profile roles",
ResponseType = "code id_token",
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
PostLogoutRedirectUri = $"{ConfigurationManager.AppSettings["RedirectUri"]}/signout-callback-oidc",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = notification =>
{
var identity = notification.AuthenticationTicket.Identity;
identity.AddClaim(new Claim("id_token", notification.ProtocolMessage.IdToken));
notification.AuthenticationTicket = new AuthenticationTicket(identity, notification.AuthenticationTicket.Properties);
return Task.FromResult(0);
},
RedirectToIdentityProvider = notification =>
{
if (notification.ProtocolMessage.RequestType != OpenIdConnectRequestType.LogoutRequest)
{
return Task.FromResult(0);
}
var idTokenHint = notification.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
notification.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
return Task.FromResult(0);
}
}
});
}