OpenID Connect 和 IdentityServer4:API 与范围
OpenID Connect and IdentityServer4: APIs vs scopes
http://docs.identityserver.io/en/latest/reference/api_resource.html 说 "An API must have at least one scope."
IdentityServer4 似乎没有强制执行此限制:我有
public static IEnumerable<ApiResource> GetApis(IConfiguration config)
{
return new ApiResource[]
{
new ApiResource("orm", "Our ORM"),
};
}
(此处没有范围)并且我的软件确实可以运行并且似乎不会产生任何错误。我是否理解正确,这里我有一个错误,但 IdentityServer4 只是没有诊断错误?
另外,我还有
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = { new Secret("XXX".Sha256()) },
RedirectUris = { ormClientURL + "/signin-oidc" },
FrontChannelLogoutUri = ormClientURL + "/signout-oidc",
PostLogoutRedirectUris = { ormClientURL + "/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "orm" }
},
尽管我没有定义范围 "orm"
,但它仍然有效。
为什么它确实有效?
如何正确解决这个问题? (我应该定义哪些客户和范围?)
ApiResource 构造函数似乎使用提供的名称和显示名称添加了范围:
public ApiResource(string name, string displayName)
: this(name, displayName, null)
{
}
public ApiResource(string name, string displayName, IEnumerable<string> claimTypes)
{
if (name.IsMissing()) throw new ArgumentNullException(nameof(name));
Name = name;
DisplayName = displayName;
Scopes.Add(new Scope(name, displayName));
if (!claimTypes.IsNullOrEmpty())
{
foreach (var type in claimTypes)
{
UserClaims.Add(type);
}
}
}
https://github.com/IdentityServer/IdentityServer4/blob/master/src/Storage/src/Models/ApiResource.cs
http://docs.identityserver.io/en/latest/reference/api_resource.html 说 "An API must have at least one scope."
IdentityServer4 似乎没有强制执行此限制:我有
public static IEnumerable<ApiResource> GetApis(IConfiguration config)
{
return new ApiResource[]
{
new ApiResource("orm", "Our ORM"),
};
}
(此处没有范围)并且我的软件确实可以运行并且似乎不会产生任何错误。我是否理解正确,这里我有一个错误,但 IdentityServer4 只是没有诊断错误?
另外,我还有
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = { new Secret("XXX".Sha256()) },
RedirectUris = { ormClientURL + "/signin-oidc" },
FrontChannelLogoutUri = ormClientURL + "/signout-oidc",
PostLogoutRedirectUris = { ormClientURL + "/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "orm" }
},
尽管我没有定义范围 "orm"
,但它仍然有效。
为什么它确实有效?
如何正确解决这个问题? (我应该定义哪些客户和范围?)
ApiResource 构造函数似乎使用提供的名称和显示名称添加了范围:
public ApiResource(string name, string displayName)
: this(name, displayName, null)
{
}
public ApiResource(string name, string displayName, IEnumerable<string> claimTypes)
{
if (name.IsMissing()) throw new ArgumentNullException(nameof(name));
Name = name;
DisplayName = displayName;
Scopes.Add(new Scope(name, displayName));
if (!claimTypes.IsNullOrEmpty())
{
foreach (var type in claimTypes)
{
UserClaims.Add(type);
}
}
}
https://github.com/IdentityServer/IdentityServer4/blob/master/src/Storage/src/Models/ApiResource.cs