IdentityServer ASP.net CORE MVC ValidAudiences 和 Role 不工作
IdentityServer ASP.net CORE MVC ValidAudiences and Role is not working
我有一个 .net 核心 MVC 应用程序,下面是我的查询
TargetFramework --> "net5.0"
IdentityModel 版本-->“5.1.0”
Q1) 我在其中使用了无效的 ValidAudiences。如果我使用 ValidAudience 令牌验证工作正常
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
//START for the cookie token based authentication
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
//Log Single Logout
services.AddTransient<CookieEventHandler>();
services.AddSingleton<LogoutSessionManager>();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "mvc31_";
options.EventsType = typeof(CookieEventHandler);
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "testmvc31";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("roles");
//adding api1 scope to access api
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
//NameClaimType = JwtClaimTypes.Name,
RoleClaimType = "role",
ValidateIssuer = true,
ValidAudience = "testmvc31", //"testResource",
//ValidAudiences = new[] { "testResource1" }, //not working
ValidateAudience = true,
};
});
//END for the cookie token based authentication
}
ValidAudiences 应该有效。你知道为什么它不起作用吗?
Q2) 在令牌验证中,我提到角色附加到声明名称“role”,在 access_token 中,我看到了角色声明值,但我在 [=37= 中看不到角色声明]() 和 User.IsInRole("admin") 是假的?
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
ValidateIssuer = true,
ValidAudience = "testResource1"
//ValidAudiences = new[] { "testResource1" },
ValidateAudience = true,
};
Access_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMUY0QzVCMzRFNzA3QzhDOTBGNEFFMDgyMkNDRDMxNEZENjlFMzBSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IklCOU1XelRuQjhqSkQwcmdnaXpOTVVfV25qQSJ9.eyJuYmYiOjE2MjI2OTg3ODEsImV4cCI6MTYyMjcwMjM4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6WyJUZXN0QVBJMSIsIlRlc3RBUEkyVGVzdCIsImh0dHBzOi8vbG9jYWxob3N0OjUwMDEvcmVzb3VyY2VzIl0sImNsaWVudF9pZCI6InRlc3RtdmMzMSIsInN1YiI6ImQ4NjBlZmNhLTIyZDktNDdmZC04MjQ5LTc5MWJhNjFiMDdjNyIsImF1dGhfdGltZSI6MTYyMjY5ODc4MSwiaWRwIjoibG9jYWwiLCJyb2xlIjoiYWRtaW4iLCJqdGkiOiI0MkYyRTNEOEY3MkQ5NDQxMDAwQTdCMEI3Q0UyRTA0QSIsInNpZCI6IkE4QzVCMTRDQzgxMTc3RDFFRDlGRDdEQzVGNkZEMEY1IiwiaWF0IjoxNjIyNjk4NzgxLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwicm9sZXMiLCJhcGkxIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.dA4JOxeWd0cGlzr5BSANNL3ZZATzxchgFwLivQVH4rbyfPr6LRIvep6-NjrNEOL_YvJVCDIEU7TBC0-9qBZVL6OgmjDZBZ5dapNhD8ZZP39bUnfqXLJqRAQgR3yeIlB60EQ3vDEnLen1HZuZJCDoqzXr-sANp75IEOLYPxfDFE5SCljex_zX9AQ1dzAUF4k60N3nbJWwn1aqOM3TdKBG85O_QDWZ-FCg5-7FI55HyrJaF4Ojb6qrFf6WdumWnz6_8sT4r9734X2QftRFeFkId36shUJpxqC-zpf5PJYjgg_rhMZ68vFuWONzKFSbXiYhqoMzCa4JzZItF_9bonXELQ
Id_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMUY0QzVCMzRFNzA3QzhDOTBGNEFFMDgyMkNDRDMxNEZENjlFMzBSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IklCOU1XelRuQjhqSkQwcmdnaXpOTVVfV25qQSJ9.eyJuYmYiOjE2MjI3MDUzMjYsImV4cCI6MTYyMjcwNTYyNiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6InRlc3RtdmMzMSIsIm5vbmNlIjoiNjM3NTgzMDIxMjQ5NzE2OTQ0LllqWmxaVFUxT1dFdE4yUTVOUzAwWWpSaUxUZzFZamN0TldKbFl6YzJPV0V3TkRnek0yWmxaamcyWkRrdE9Ea3dNaTAwTnpReExUZ3hZekV0TXpReFpqaGlaRGt4WkdFNCIsImlhdCI6MTYyMjcwNTMyNiwiYXRfaGFzaCI6Ik50OTV2WWtsVlg4dnEtNlFENkVKNVEiLCJzX2hhc2giOiJqV1R1NUxxZTdob0xxQ3lnSm4tSGlnIiwic2lkIjoiRDkxNDg1RjdCMkU5QTgxRENEODMyQzZGQ0VEMzA3MUEiLCJzdWIiOiJkODYwZWZjYS0yMmQ5LTQ3ZmQtODI0OS03OTFiYTYxYjA3YzciLCJhdXRoX3RpbWUiOjE2MjI3MDUzMjYsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.KAqpxfctknB5DV8_leOekZajdgYOJ_sLsa12Hx1-qmOS8hLfN0RwpE3MCGyAiKhSEEPwGPXbbAglZnZKDKbH48RwsA-Zvu3Z8qO3_UCgG6U_ghTW3FSHWV2BJMpM_-OCvqq6pwx65Wh_9-u9xRq3F5r6SbgAyEwzjUE925UOMrWgnyWQAVCuVZ-7W2nO3pkLhf5NW0ItUcF5I6TJn54wgcga-JP1rNh2gIIMT4N9ijfcdbbLVrX6wFqKlXEUWOzGW9m8A8oCZ5ZvbJ_iy3mNT-H3DjMO6K-FP2hwNeU7X3nhdvdrVM6_CyvfLQr9bHQVQB9Aj42DAFOQCfR4V2NtNQ
对这两个问题有什么想法吗?
ValidAudiences 在您的 API 中必须匹配访问令牌中的 aud 声明。
你需要使用例如:
ValidAudience = "testAPI"
关于角色问题,您可以粘贴一个完整的示例访问令牌吗?
通常,您需要告诉 AddJwtBearer 您的角色声明的名称,使用:
opt.TokenValidationParameters.RoleClaimType = "role";
opt.TokenValidationParameters.NameClaimType = "name";
与您所做的类似,因此应该可行。
您确定您在令牌中声明的角色是角色,而不是角色吗?
访问令牌不打算由客户端应用程序使用或检查,它仅供 API 使用。 ID 令牌用于在客户端 ASP.NET 核心应用程序中创建“用户”。
要将用户声明加入其中,只需将它们添加为用户声明即可,例如:
new IdentityResource(name: "employee", userClaims: new string[] { "role", "employeetype", "IsCeo" })
如果您在 IDToken 中看不到该角色,请不要担心,否则会在单独的请求中从 UserInfo 中检索它。
您可以在客户端定义中使用此标志来控制它:
// When requesting both an id token and access token, should the user claims always
// be added to the id token instead of requiring the client to use the UserInfo endpoint.
// Defaults to false.
AlwaysIncludeUserClaimsInIdToken = false,
在 AddOpenIDConnect 中你也有这个标志:
options.GetClaimsFromUserInfoEndpoint = true;
我有一个 .net 核心 MVC 应用程序,下面是我的查询
TargetFramework --> "net5.0"
IdentityModel 版本-->“5.1.0”
Q1) 我在其中使用了无效的 ValidAudiences。如果我使用 ValidAudience 令牌验证工作正常
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
//START for the cookie token based authentication
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
//Log Single Logout
services.AddTransient<CookieEventHandler>();
services.AddSingleton<LogoutSessionManager>();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "mvc31_";
options.EventsType = typeof(CookieEventHandler);
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "testmvc31";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("roles");
//adding api1 scope to access api
options.Scope.Add("api1");
options.Scope.Add("offline_access");
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
//NameClaimType = JwtClaimTypes.Name,
RoleClaimType = "role",
ValidateIssuer = true,
ValidAudience = "testmvc31", //"testResource",
//ValidAudiences = new[] { "testResource1" }, //not working
ValidateAudience = true,
};
});
//END for the cookie token based authentication
}
ValidAudiences 应该有效。你知道为什么它不起作用吗?
Q2) 在令牌验证中,我提到角色附加到声明名称“role”,在 access_token 中,我看到了角色声明值,但我在 [=37= 中看不到角色声明]() 和 User.IsInRole("admin") 是假的?
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
ValidateIssuer = true,
ValidAudience = "testResource1"
//ValidAudiences = new[] { "testResource1" },
ValidateAudience = true,
};
Access_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMUY0QzVCMzRFNzA3QzhDOTBGNEFFMDgyMkNDRDMxNEZENjlFMzBSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IklCOU1XelRuQjhqSkQwcmdnaXpOTVVfV25qQSJ9.eyJuYmYiOjE2MjI2OTg3ODEsImV4cCI6MTYyMjcwMjM4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6WyJUZXN0QVBJMSIsIlRlc3RBUEkyVGVzdCIsImh0dHBzOi8vbG9jYWxob3N0OjUwMDEvcmVzb3VyY2VzIl0sImNsaWVudF9pZCI6InRlc3RtdmMzMSIsInN1YiI6ImQ4NjBlZmNhLTIyZDktNDdmZC04MjQ5LTc5MWJhNjFiMDdjNyIsImF1dGhfdGltZSI6MTYyMjY5ODc4MSwiaWRwIjoibG9jYWwiLCJyb2xlIjoiYWRtaW4iLCJqdGkiOiI0MkYyRTNEOEY3MkQ5NDQxMDAwQTdCMEI3Q0UyRTA0QSIsInNpZCI6IkE4QzVCMTRDQzgxMTc3RDFFRDlGRDdEQzVGNkZEMEY1IiwiaWF0IjoxNjIyNjk4NzgxLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwicm9sZXMiLCJhcGkxIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.dA4JOxeWd0cGlzr5BSANNL3ZZATzxchgFwLivQVH4rbyfPr6LRIvep6-NjrNEOL_YvJVCDIEU7TBC0-9qBZVL6OgmjDZBZ5dapNhD8ZZP39bUnfqXLJqRAQgR3yeIlB60EQ3vDEnLen1HZuZJCDoqzXr-sANp75IEOLYPxfDFE5SCljex_zX9AQ1dzAUF4k60N3nbJWwn1aqOM3TdKBG85O_QDWZ-FCg5-7FI55HyrJaF4Ojb6qrFf6WdumWnz6_8sT4r9734X2QftRFeFkId36shUJpxqC-zpf5PJYjgg_rhMZ68vFuWONzKFSbXiYhqoMzCa4JzZItF_9bonXELQ
Id_token eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMUY0QzVCMzRFNzA3QzhDOTBGNEFFMDgyMkNDRDMxNEZENjlFMzBSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6IklCOU1XelRuQjhqSkQwcmdnaXpOTVVfV25qQSJ9.eyJuYmYiOjE2MjI3MDUzMjYsImV4cCI6MTYyMjcwNTYyNiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6InRlc3RtdmMzMSIsIm5vbmNlIjoiNjM3NTgzMDIxMjQ5NzE2OTQ0LllqWmxaVFUxT1dFdE4yUTVOUzAwWWpSaUxUZzFZamN0TldKbFl6YzJPV0V3TkRnek0yWmxaamcyWkRrdE9Ea3dNaTAwTnpReExUZ3hZekV0TXpReFpqaGlaRGt4WkdFNCIsImlhdCI6MTYyMjcwNTMyNiwiYXRfaGFzaCI6Ik50OTV2WWtsVlg4dnEtNlFENkVKNVEiLCJzX2hhc2giOiJqV1R1NUxxZTdob0xxQ3lnSm4tSGlnIiwic2lkIjoiRDkxNDg1RjdCMkU5QTgxRENEODMyQzZGQ0VEMzA3MUEiLCJzdWIiOiJkODYwZWZjYS0yMmQ5LTQ3ZmQtODI0OS03OTFiYTYxYjA3YzciLCJhdXRoX3RpbWUiOjE2MjI3MDUzMjYsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.KAqpxfctknB5DV8_leOekZajdgYOJ_sLsa12Hx1-qmOS8hLfN0RwpE3MCGyAiKhSEEPwGPXbbAglZnZKDKbH48RwsA-Zvu3Z8qO3_UCgG6U_ghTW3FSHWV2BJMpM_-OCvqq6pwx65Wh_9-u9xRq3F5r6SbgAyEwzjUE925UOMrWgnyWQAVCuVZ-7W2nO3pkLhf5NW0ItUcF5I6TJn54wgcga-JP1rNh2gIIMT4N9ijfcdbbLVrX6wFqKlXEUWOzGW9m8A8oCZ5ZvbJ_iy3mNT-H3DjMO6K-FP2hwNeU7X3nhdvdrVM6_CyvfLQr9bHQVQB9Aj42DAFOQCfR4V2NtNQ
对这两个问题有什么想法吗?
ValidAudiences 在您的 API 中必须匹配访问令牌中的 aud 声明。
你需要使用例如:
ValidAudience = "testAPI"
关于角色问题,您可以粘贴一个完整的示例访问令牌吗?
通常,您需要告诉 AddJwtBearer 您的角色声明的名称,使用:
opt.TokenValidationParameters.RoleClaimType = "role";
opt.TokenValidationParameters.NameClaimType = "name";
与您所做的类似,因此应该可行。
您确定您在令牌中声明的角色是角色,而不是角色吗?
访问令牌不打算由客户端应用程序使用或检查,它仅供 API 使用。 ID 令牌用于在客户端 ASP.NET 核心应用程序中创建“用户”。
要将用户声明加入其中,只需将它们添加为用户声明即可,例如:
new IdentityResource(name: "employee", userClaims: new string[] { "role", "employeetype", "IsCeo" })
如果您在 IDToken 中看不到该角色,请不要担心,否则会在单独的请求中从 UserInfo 中检索它。
您可以在客户端定义中使用此标志来控制它:
// When requesting both an id token and access token, should the user claims always
// be added to the id token instead of requiring the client to use the UserInfo endpoint.
// Defaults to false.
AlwaysIncludeUserClaimsInIdToken = false,
在 AddOpenIDConnect 中你也有这个标志:
options.GetClaimsFromUserInfoEndpoint = true;