IdentityServer 在使用参考令牌时获得声明

IdentityServer getting claims to appear when using reference token

我发现这真的很混乱,而且在任何地方都找不到任何文档。我希望我没有费心移动到身份服务器,我遇到的所有问题...... 无论如何,当前的问题是,当我进行身份验证时,没有任何声明基于 User.Identity.

我尝试使用 ClaimsTransformer 添加我的声明,but it turns out that you can't use DI to get database claims 使用 ClaimsTransformer。所以我不得不想出另一个解决方案。

经过大量挖掘后我发现有一个 ClaimsProvider 可以使用。但是当我添加它时,我无法授权我的请求。 这是我的配置 before 我添加了 ClaimsProvider:

public static class Config
{
    /// <summary>
    ///     Configures identity server
    /// </summary>
    public static void ConfigureIdentityServer(this IAppBuilder app, CormarConfig config)
    {
        // Create our options
        var identityServerOptions = new IdentityServerOptions
        {
            SiteName = "Cormar API",
            SigningCertificate = LoadCertificate(),
            IssuerUri = "https://cormarapi-test.azurewebsites.net",

            LoggingOptions = new LoggingOptions
            {
                EnableHttpLogging = true,
                EnableWebApiDiagnostics = true,
                EnableKatanaLogging = true,
                WebApiDiagnosticsIsVerbose = true
            },

            Factory = new IdentityServerServiceFactory().Configure(config),

            // Disable when live
            EnableWelcomePage = true
        };

        // Setup our auth path
        app.Map("/identity", idsrvApp => { idsrvApp.UseIdentityServer(identityServerOptions); });
    }


    /// <summary>
    ///     Configures the identity server to use token authentication
    /// </summary>
    public static void ConfigureIdentityServerTokenAuthentication(this IAppBuilder app, HttpConfiguration config)
    {
        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "https://cormarapi-test.azurewebsites.net/identity",
            DelayLoadMetadata = true,
            ValidationMode = ValidationMode.Both,
            RequiredScopes = new[] {"api"},

            ClientId = "api",
            ClientSecret = "8at?7nAtaB!E"
        });
    }

    /// <summary>
    ///     Loads the certificate
    /// </summary>
    /// <returns></returns>
    private static X509Certificate2 LoadCertificate()
    {
        var certPath = $"{AppDomain.CurrentDomain.BaseDirectory}App_Data\idsrv3test.pfx";
        var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        certStore.Open(OpenFlags.ReadOnly);
        var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "3A1AFB6E1DC5C3F341E63651542C740DA4148866", false);
        certStore.Close();

        // If we are on azure, get the actual self signed certificate, otherwise return the test one
        return certCollection.Count > 0 ? certCollection[0] : new X509Certificate2(certPath, "idsrv3test");
    }

    /// <summary>
    ///     Configure the identity service factory with custom services
    /// </summary>
    /// <returns></returns>
    private static IdentityServerServiceFactory Configure(this IdentityServerServiceFactory factory, CormarConfig config)
    {
        var serviceOptions = new EntityFrameworkServiceOptions {ConnectionString = config.SqlConnectionString};
        factory.RegisterOperationalServices(serviceOptions);
        factory.RegisterConfigurationServices(serviceOptions);
        factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService {AllowAll = true}); // Allow all domains to access authentication

        factory.Register(new Registration<DbContext>(dr => dr.ResolveFromAutofacOwinLifetimeScope<DbContext>()));
        factory.UserService = new Registration<IUserService>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IUserService>());
        factory.ClientStore = new Registration<IClientStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClientStore>());
        factory.ScopeStore = new Registration<IScopeStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IScopeStore>());

        return factory;
    }
}

像这样设置后,我在 Startup.cs:

中调用它
app.ConfigureIdentityServer(scope.Resolve<CormarConfig>());
app.ConfigureIdentityServerTokenAuthentication(config);
app.UseWebApi(config);

一切正常(索赔除外)。我可以进行身份​​验证,也可以授权我的请求。 现在我需要获取我的 UserClaims,所以我创建了我的 ClaimsProvider,如下所示:

public class ClaimsProvider: DefaultClaimsProvider
{

    private readonly IUserStore<User> _userStore;
    public ClaimsProvider(IUserService userService, IUserStore<User> userStore)
        : base(userService)
    {
        _userStore = userStore;
    }

    public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
    {
        var id = subject.GetSubjectId();
        var user = await _userStore.FindByIdAsync(id);

        return user.Claims.Select(ModelFactory.Create).ToList();
    }
}

然后我将它添加到我的 IdentityServerServiceFactory Configure 方法中,如下所示:

factory.ClaimsProvider = new Registration<IClaimsProvider>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClaimsProvider>());

ClaimsProvider 像这样在 Autofac 中注册:

builder.RegisterType<ClaimsProvider>().As<idsrv.IClaimsProvider>().InstancePerDependency();

我仍然可以进行身份​​验证并获取我的令牌,但是一旦我尝试使用我的令牌访问任何端点,我就会收到此错误:

invalid bearer token received

我不知道为什么。有人可以帮忙吗?

我完全看错地方了。 要向用户添加 Claims,您必须覆盖自定义 UserService 中的 GetProfileDataAsync。我以前这样做过,但索赔并没有得到坚持。然后我阅读了 ScopeClaims。在我的例子中,我的 Claim 是 "role" 类型所以我只是添加了一个新的 ScopeClaim 和角色名称然后当我登录后,我看到调用了 GetProfileDataAsync,果然,声明已添加到我的 User.Identity。 例如,这是我的 GetProfileDataAsync 的样子:

    public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var subject = context.Subject;
        var requestedClaimTypes = context.RequestedClaimTypes;

        var user = await _userProvider.FindByIdAsync(subject.GetSubjectId());
        if (user == null) throw new ArgumentException("Invalid user id");

        var claims = GetClaimsFromUser(user);
        if (requestedClaimTypes != null && requestedClaimTypes.Any()) claims = claims.Where(m => requestedClaimTypes.Contains(m.Type));

        context.IssuedClaims = claims;
    }

    private IEnumerable<Claim> GetClaimsFromUser(User model)
    {
        var claims = model.Claims.Select(ModelFactory.Create).ToList();

        if (model.EmailConfirmed) claims.Add(new Claim(Constants.ClaimTypes.EmailVerified, model.EmailConfirmed ? "true": "false"));

        return claims;
    }