通过 IdentityServer4 不在令牌中的角色
Roles not in Token via IdentityServer4
我正在使用 IdentityServer4 来验证我的内部应用程序。我在我的 GrantValidator 中调用了一项服务来验证用户名和密码。该服务 returns 用户的角色列表
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var loginResponse = await loginService.ValidateCreds(context.UserName, context.Password)
if (loginResponse.Success)
{
var roleClaims = loginResponse.Roles?.Select(x => new Claim(ClaimTypes.Role, x)) ?? Enumerable.Empty<Claim>();
// The claims argument doesn't seem to do anything!
context.Result = new GrantValidationResult(loginResponse.UserId, "password", roleClaims);
}
else
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "Invalid Credentials");
}
返回的令牌:
{
"nbf": 1491409664,
"exp": 1491413264,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"redacted"
],
"client_id": "localhost",
"sub": "nouser_222222222|1234567",
"auth_time": 1491409634,
"idp": "local",
"clientid": "dfc962d7-c731-4d42-b0c8-bec766dc7813",
"scope": [
"profile",
"redacted"
],
"amr": [
"password"
]
}
配置文件服务负责将声明放入令牌中。实现 IProfileService
并注册到 DI.
在那里您可以访问资源所有者验证器放入主题中的声明,然后可以通过将它们放入 IssuedClaims
集合来发出它们。
我正在使用 IdentityServer4 来验证我的内部应用程序。我在我的 GrantValidator 中调用了一项服务来验证用户名和密码。该服务 returns 用户的角色列表
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var loginResponse = await loginService.ValidateCreds(context.UserName, context.Password)
if (loginResponse.Success)
{
var roleClaims = loginResponse.Roles?.Select(x => new Claim(ClaimTypes.Role, x)) ?? Enumerable.Empty<Claim>();
// The claims argument doesn't seem to do anything!
context.Result = new GrantValidationResult(loginResponse.UserId, "password", roleClaims);
}
else
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, "Invalid Credentials");
}
返回的令牌:
{
"nbf": 1491409664,
"exp": 1491413264,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"redacted"
],
"client_id": "localhost",
"sub": "nouser_222222222|1234567",
"auth_time": 1491409634,
"idp": "local",
"clientid": "dfc962d7-c731-4d42-b0c8-bec766dc7813",
"scope": [
"profile",
"redacted"
],
"amr": [
"password"
]
}
配置文件服务负责将声明放入令牌中。实现 IProfileService
并注册到 DI.
在那里您可以访问资源所有者验证器放入主题中的声明,然后可以通过将它们放入 IssuedClaims
集合来发出它们。