IdentityServer 在使用参考令牌时获得声明
IdentityServer getting claims to appear when using reference token
我发现这真的很混乱,而且在任何地方都找不到任何文档。我希望我没有费心移动到身份服务器,我遇到的所有问题......
无论如何,当前的问题是,当我进行身份验证时,没有任何声明基于 User.Identity.
我尝试使用 ClaimsTransformer 添加我的声明,but it turns out that you can't use DI to get database claims 使用 ClaimsTransformer。所以我不得不想出另一个解决方案。
经过大量挖掘后我发现有一个 ClaimsProvider 可以使用。但是当我添加它时,我无法授权我的请求。
这是我的配置 before 我添加了 ClaimsProvider:
public static class Config
{
/// <summary>
/// Configures identity server
/// </summary>
public static void ConfigureIdentityServer(this IAppBuilder app, CormarConfig config)
{
// Create our options
var identityServerOptions = new IdentityServerOptions
{
SiteName = "Cormar API",
SigningCertificate = LoadCertificate(),
IssuerUri = "https://cormarapi-test.azurewebsites.net",
LoggingOptions = new LoggingOptions
{
EnableHttpLogging = true,
EnableWebApiDiagnostics = true,
EnableKatanaLogging = true,
WebApiDiagnosticsIsVerbose = true
},
Factory = new IdentityServerServiceFactory().Configure(config),
// Disable when live
EnableWelcomePage = true
};
// Setup our auth path
app.Map("/identity", idsrvApp => { idsrvApp.UseIdentityServer(identityServerOptions); });
}
/// <summary>
/// Configures the identity server to use token authentication
/// </summary>
public static void ConfigureIdentityServerTokenAuthentication(this IAppBuilder app, HttpConfiguration config)
{
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://cormarapi-test.azurewebsites.net/identity",
DelayLoadMetadata = true,
ValidationMode = ValidationMode.Both,
RequiredScopes = new[] {"api"},
ClientId = "api",
ClientSecret = "8at?7nAtaB!E"
});
}
/// <summary>
/// Loads the certificate
/// </summary>
/// <returns></returns>
private static X509Certificate2 LoadCertificate()
{
var certPath = $"{AppDomain.CurrentDomain.BaseDirectory}App_Data\idsrv3test.pfx";
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "3A1AFB6E1DC5C3F341E63651542C740DA4148866", false);
certStore.Close();
// If we are on azure, get the actual self signed certificate, otherwise return the test one
return certCollection.Count > 0 ? certCollection[0] : new X509Certificate2(certPath, "idsrv3test");
}
/// <summary>
/// Configure the identity service factory with custom services
/// </summary>
/// <returns></returns>
private static IdentityServerServiceFactory Configure(this IdentityServerServiceFactory factory, CormarConfig config)
{
var serviceOptions = new EntityFrameworkServiceOptions {ConnectionString = config.SqlConnectionString};
factory.RegisterOperationalServices(serviceOptions);
factory.RegisterConfigurationServices(serviceOptions);
factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService {AllowAll = true}); // Allow all domains to access authentication
factory.Register(new Registration<DbContext>(dr => dr.ResolveFromAutofacOwinLifetimeScope<DbContext>()));
factory.UserService = new Registration<IUserService>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IUserService>());
factory.ClientStore = new Registration<IClientStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClientStore>());
factory.ScopeStore = new Registration<IScopeStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IScopeStore>());
return factory;
}
}
像这样设置后,我在 Startup.cs:
中调用它
app.ConfigureIdentityServer(scope.Resolve<CormarConfig>());
app.ConfigureIdentityServerTokenAuthentication(config);
app.UseWebApi(config);
一切正常(索赔除外)。我可以进行身份验证,也可以授权我的请求。
现在我需要获取我的 UserClaims,所以我创建了我的 ClaimsProvider,如下所示:
public class ClaimsProvider: DefaultClaimsProvider
{
private readonly IUserStore<User> _userStore;
public ClaimsProvider(IUserService userService, IUserStore<User> userStore)
: base(userService)
{
_userStore = userStore;
}
public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
var id = subject.GetSubjectId();
var user = await _userStore.FindByIdAsync(id);
return user.Claims.Select(ModelFactory.Create).ToList();
}
}
然后我将它添加到我的 IdentityServerServiceFactory Configure 方法中,如下所示:
factory.ClaimsProvider = new Registration<IClaimsProvider>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClaimsProvider>());
ClaimsProvider 像这样在 Autofac 中注册:
builder.RegisterType<ClaimsProvider>().As<idsrv.IClaimsProvider>().InstancePerDependency();
我仍然可以进行身份验证并获取我的令牌,但是一旦我尝试使用我的令牌访问任何端点,我就会收到此错误:
invalid bearer token received
我不知道为什么。有人可以帮忙吗?
我完全看错地方了。
要向用户添加 Claims,您必须覆盖自定义 UserService 中的 GetProfileDataAsync。我以前这样做过,但索赔并没有得到坚持。然后我阅读了 ScopeClaims。在我的例子中,我的 Claim 是 "role" 类型所以我只是添加了一个新的 ScopeClaim 和角色名称然后当我登录后,我看到调用了 GetProfileDataAsync,果然,声明已添加到我的 User.Identity。
例如,这是我的 GetProfileDataAsync 的样子:
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
var requestedClaimTypes = context.RequestedClaimTypes;
var user = await _userProvider.FindByIdAsync(subject.GetSubjectId());
if (user == null) throw new ArgumentException("Invalid user id");
var claims = GetClaimsFromUser(user);
if (requestedClaimTypes != null && requestedClaimTypes.Any()) claims = claims.Where(m => requestedClaimTypes.Contains(m.Type));
context.IssuedClaims = claims;
}
private IEnumerable<Claim> GetClaimsFromUser(User model)
{
var claims = model.Claims.Select(ModelFactory.Create).ToList();
if (model.EmailConfirmed) claims.Add(new Claim(Constants.ClaimTypes.EmailVerified, model.EmailConfirmed ? "true": "false"));
return claims;
}
我发现这真的很混乱,而且在任何地方都找不到任何文档。我希望我没有费心移动到身份服务器,我遇到的所有问题...... 无论如何,当前的问题是,当我进行身份验证时,没有任何声明基于 User.Identity.
我尝试使用 ClaimsTransformer 添加我的声明,but it turns out that you can't use DI to get database claims 使用 ClaimsTransformer。所以我不得不想出另一个解决方案。
经过大量挖掘后我发现有一个 ClaimsProvider 可以使用。但是当我添加它时,我无法授权我的请求。 这是我的配置 before 我添加了 ClaimsProvider:
public static class Config
{
/// <summary>
/// Configures identity server
/// </summary>
public static void ConfigureIdentityServer(this IAppBuilder app, CormarConfig config)
{
// Create our options
var identityServerOptions = new IdentityServerOptions
{
SiteName = "Cormar API",
SigningCertificate = LoadCertificate(),
IssuerUri = "https://cormarapi-test.azurewebsites.net",
LoggingOptions = new LoggingOptions
{
EnableHttpLogging = true,
EnableWebApiDiagnostics = true,
EnableKatanaLogging = true,
WebApiDiagnosticsIsVerbose = true
},
Factory = new IdentityServerServiceFactory().Configure(config),
// Disable when live
EnableWelcomePage = true
};
// Setup our auth path
app.Map("/identity", idsrvApp => { idsrvApp.UseIdentityServer(identityServerOptions); });
}
/// <summary>
/// Configures the identity server to use token authentication
/// </summary>
public static void ConfigureIdentityServerTokenAuthentication(this IAppBuilder app, HttpConfiguration config)
{
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://cormarapi-test.azurewebsites.net/identity",
DelayLoadMetadata = true,
ValidationMode = ValidationMode.Both,
RequiredScopes = new[] {"api"},
ClientId = "api",
ClientSecret = "8at?7nAtaB!E"
});
}
/// <summary>
/// Loads the certificate
/// </summary>
/// <returns></returns>
private static X509Certificate2 LoadCertificate()
{
var certPath = $"{AppDomain.CurrentDomain.BaseDirectory}App_Data\idsrv3test.pfx";
var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
var certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "3A1AFB6E1DC5C3F341E63651542C740DA4148866", false);
certStore.Close();
// If we are on azure, get the actual self signed certificate, otherwise return the test one
return certCollection.Count > 0 ? certCollection[0] : new X509Certificate2(certPath, "idsrv3test");
}
/// <summary>
/// Configure the identity service factory with custom services
/// </summary>
/// <returns></returns>
private static IdentityServerServiceFactory Configure(this IdentityServerServiceFactory factory, CormarConfig config)
{
var serviceOptions = new EntityFrameworkServiceOptions {ConnectionString = config.SqlConnectionString};
factory.RegisterOperationalServices(serviceOptions);
factory.RegisterConfigurationServices(serviceOptions);
factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService {AllowAll = true}); // Allow all domains to access authentication
factory.Register(new Registration<DbContext>(dr => dr.ResolveFromAutofacOwinLifetimeScope<DbContext>()));
factory.UserService = new Registration<IUserService>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IUserService>());
factory.ClientStore = new Registration<IClientStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClientStore>());
factory.ScopeStore = new Registration<IScopeStore>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IScopeStore>());
return factory;
}
}
像这样设置后,我在 Startup.cs:
中调用它app.ConfigureIdentityServer(scope.Resolve<CormarConfig>());
app.ConfigureIdentityServerTokenAuthentication(config);
app.UseWebApi(config);
一切正常(索赔除外)。我可以进行身份验证,也可以授权我的请求。 现在我需要获取我的 UserClaims,所以我创建了我的 ClaimsProvider,如下所示:
public class ClaimsProvider: DefaultClaimsProvider
{
private readonly IUserStore<User> _userStore;
public ClaimsProvider(IUserService userService, IUserStore<User> userStore)
: base(userService)
{
_userStore = userStore;
}
public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
var id = subject.GetSubjectId();
var user = await _userStore.FindByIdAsync(id);
return user.Claims.Select(ModelFactory.Create).ToList();
}
}
然后我将它添加到我的 IdentityServerServiceFactory Configure 方法中,如下所示:
factory.ClaimsProvider = new Registration<IClaimsProvider>(dr => dr.ResolveFromAutofacOwinLifetimeScope<IClaimsProvider>());
ClaimsProvider 像这样在 Autofac 中注册:
builder.RegisterType<ClaimsProvider>().As<idsrv.IClaimsProvider>().InstancePerDependency();
我仍然可以进行身份验证并获取我的令牌,但是一旦我尝试使用我的令牌访问任何端点,我就会收到此错误:
invalid bearer token received
我不知道为什么。有人可以帮忙吗?
我完全看错地方了。 要向用户添加 Claims,您必须覆盖自定义 UserService 中的 GetProfileDataAsync。我以前这样做过,但索赔并没有得到坚持。然后我阅读了 ScopeClaims。在我的例子中,我的 Claim 是 "role" 类型所以我只是添加了一个新的 ScopeClaim 和角色名称然后当我登录后,我看到调用了 GetProfileDataAsync,果然,声明已添加到我的 User.Identity。 例如,这是我的 GetProfileDataAsync 的样子:
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
var requestedClaimTypes = context.RequestedClaimTypes;
var user = await _userProvider.FindByIdAsync(subject.GetSubjectId());
if (user == null) throw new ArgumentException("Invalid user id");
var claims = GetClaimsFromUser(user);
if (requestedClaimTypes != null && requestedClaimTypes.Any()) claims = claims.Where(m => requestedClaimTypes.Contains(m.Type));
context.IssuedClaims = claims;
}
private IEnumerable<Claim> GetClaimsFromUser(User model)
{
var claims = model.Claims.Select(ModelFactory.Create).ToList();
if (model.EmailConfirmed) claims.Add(new Claim(Constants.ClaimTypes.EmailVerified, model.EmailConfirmed ? "true": "false"));
return claims;
}