在客户端找不到声明
claims not found on client side
我已经实现了 IDS4 客户端。这是在 config.cs
中在 IDS4 上注册客户端的代码
new Client
{
ClientId = "HR.WebClient",
ClientName = "HR Module Web Client",
ClientSecrets = { new Secret("****".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
// removed some code for brevity
AllowOfflineAccess = true,
RequireConsent = false,
// removed some code for brevity
},
这是我用来在客户端应用程序的 startup.cs 中配置客户端的扩展方法。
public static void AddCustomAuthentication(this IServiceCollection services, IConfiguration Configuration)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.Cookie.Name = $"{Configuration["ClientId"]}.Cookie";
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = Configuration["IdentityServerUri"];
options.SignInScheme = "Cookies";
options.ClientId = Configuration["ClientId"];
options.ClientSecret = Configuration["ClientSecret"];
options.ResponseType = "code";
options.SaveTokens = true;
// get claims
options.GetClaimsFromUserInfoEndpoint = true;
// removed some code for brevity
});
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
}
问题
我已经编写了一些服务器端逻辑来添加对 运行 时间的声明。我还可以在服务器应用程序端看到这些声明。
但是我在客户端看不到任何声明。
我错过了什么?
更新
这是我的 id_token 和 access_token
的示例
.Token.id_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkNGN0U3OUJEMjNENUFEQjdCQkFFNkM2Mzk3NjM0RTBBIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2NDA2NzA0NDUsImV4cCI6MTY0MDY3MDc0NSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6IkNvcnBMZW5zZS5IUi5XZWJDbGllbnQiLCJpYXQiOjE2NDA2NzA0NDUsImF0X2hhc2giOiJUWVdkd2lCbEdacHoyQ19FcXBZaXFBIiwic3ViIjoiNDJkNjRkNzQtMDBjMC00MmE5LWI1OWEtNTUyYjcwOGM0NTcxIiwiYXV0aF90aW1lIjoxNjQwNTkwMTQzLCJpZHAiOiJsb2NhbCIsInByZWZlcnJlZF91c2VybmFtZSI6ImlmdGlraGFyIiwibmFtZSI6ImlmdGlraGFyIiwiYW1yIjpbInB3ZCJdfQ.LgS2_-yW9XcMqmZhOhbSdMznpmbUvat_e7mfw8YLajCOjREuECvYlyC2nowlu6Khch2FZyM5RAgqYPHc0db2NBxhLEaqNIwWIa9We32Vdy6wrHPkx1TrGkQymoiXcktkIeaNA1TCMUfSDA1XRbfygfPyFCq9t06CHC4WmVmcdQFavXic_jFCEBV45_qGsuAeqYi0qbStoQd3dWqkhOkBg3aiZjZKycQXTWGb-dBFSIG7xFZx2AhsEYBpTI9NzG3oRbYbJlV-CEuV2umFVdX77zZOdSvvdrRiMzN_XLw8ZWysLG5yAJiIkL-dprKhqTUbtUHw1jkq4VZc-iQUNvsOgw
.Token.access_token
eyJhbGciOiJSUzI1NiIsImtpZCI6IkNGN0U3OUJEMjNENUFEQjdCQkFFNkM2Mzk3NjM0RTBBIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2NDA2NzA0NDUsImV4cCI6MTY0MDY3NDA0NSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjUwMDEvcmVzb3VyY2VzIiwiY2xpZW50X2lkIjoiQ29ycExlbnNlLkhSLldlYkNsaWVudCIsInN1YiI6IjQyZDY0ZDc0LTAwYzAtNDJhOS1iNTlhLTU1MmI3MDhjNDU3MSIsImF1dGhfdGltZSI6MTY0MDU5MDE0MywiaWRwIjoibG9jYWwiLCJqdGkiOiI5NTdFRURDNkNGQjI1RDRBODQ5QzBCNzVCMkNDQ0NDOSIsInNpZCI6IjQzODhBMzY0OTVFODEzMzczNDJBMDE4OTU4NUQxMDkxIiwiaWF0IjoxNjQwNTkwMTQzLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiSHVtYW5SZXNvdXJjZUFwaSIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.kOipzf-kUNSviqgoRf8ieZtswAc6eBfMlkvuc44qNaKAzUIr8Bv4J6O0X455ctnh-jJrutvVkUsBu0SS-wBllAS7LUGh2aIhJV9qTgITxKvDchfHrzJnpyI3dGEbmUweC0pqvpzM_KDNKUG-GhafthehEz6V1SYq3DA2XPKevO4xuTAF9R9zl4KtgXVPZQba2A-3GZxOuL2WZhcxYV3Qm3kLQlHHxiriz5vQDIXTIYsmRdh791YDsjHr7lKIG9Vf8b2Mddivs8FFZerJAJzanzzZQ2wa0nJ4DpOQaasbBAf9NCltkUavHp7Q6x0KWPKAh5Nv--mF1A3VZOPjWvn3yg
默认情况下,只有这些声明从 ID 令牌传播到用户对象:
options.ClaimActions.MapUniqueJsonKey("sub", "sub");
options.ClaimActions.MapUniqueJsonKey("name", "name");
options.ClaimActions.MapUniqueJsonKey("given_name", "given_name");
options.ClaimActions.MapUniqueJsonKey("family_name", "family_name");
options.ClaimActions.MapUniqueJsonKey("profile", "profile");
options.ClaimActions.MapUniqueJsonKey("email", "email");
你可以找到来源here
要映射其他声明,我们必须使用以下方法手动映射它们:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
或
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce");
你能检查一下你是否注册了作用域吗?
new Client
{
ClientId = "service.client",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api1", "api2.read_only","otherclaims/scopes" }
}
多亏了Tore的帮助,我才意识到自己的无知。我完全没有意识到我们可以通过实施 IProfileService 来扩展 Identity Server。我能够通过实施 ProfileService 在 access_token 中添加自定义声明。
我已经实现了 IDS4 客户端。这是在 config.cs
中在 IDS4 上注册客户端的代码new Client
{
ClientId = "HR.WebClient",
ClientName = "HR Module Web Client",
ClientSecrets = { new Secret("****".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
// removed some code for brevity
AllowOfflineAccess = true,
RequireConsent = false,
// removed some code for brevity
},
这是我用来在客户端应用程序的 startup.cs 中配置客户端的扩展方法。
public static void AddCustomAuthentication(this IServiceCollection services, IConfiguration Configuration)
{
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(options =>
{
options.Cookie.Name = $"{Configuration["ClientId"]}.Cookie";
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = Configuration["IdentityServerUri"];
options.SignInScheme = "Cookies";
options.ClientId = Configuration["ClientId"];
options.ClientSecret = Configuration["ClientSecret"];
options.ResponseType = "code";
options.SaveTokens = true;
// get claims
options.GetClaimsFromUserInfoEndpoint = true;
// removed some code for brevity
});
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
}
问题
我已经编写了一些服务器端逻辑来添加对 运行 时间的声明。我还可以在服务器应用程序端看到这些声明。
但是我在客户端看不到任何声明。
我错过了什么?
更新
这是我的 id_token 和 access_token
的示例.Token.id_token eyJhbGciOiJSUzI1NiIsImtpZCI6IkNGN0U3OUJEMjNENUFEQjdCQkFFNkM2Mzk3NjM0RTBBIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2NDA2NzA0NDUsImV4cCI6MTY0MDY3MDc0NSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6IkNvcnBMZW5zZS5IUi5XZWJDbGllbnQiLCJpYXQiOjE2NDA2NzA0NDUsImF0X2hhc2giOiJUWVdkd2lCbEdacHoyQ19FcXBZaXFBIiwic3ViIjoiNDJkNjRkNzQtMDBjMC00MmE5LWI1OWEtNTUyYjcwOGM0NTcxIiwiYXV0aF90aW1lIjoxNjQwNTkwMTQzLCJpZHAiOiJsb2NhbCIsInByZWZlcnJlZF91c2VybmFtZSI6ImlmdGlraGFyIiwibmFtZSI6ImlmdGlraGFyIiwiYW1yIjpbInB3ZCJdfQ.LgS2_-yW9XcMqmZhOhbSdMznpmbUvat_e7mfw8YLajCOjREuECvYlyC2nowlu6Khch2FZyM5RAgqYPHc0db2NBxhLEaqNIwWIa9We32Vdy6wrHPkx1TrGkQymoiXcktkIeaNA1TCMUfSDA1XRbfygfPyFCq9t06CHC4WmVmcdQFavXic_jFCEBV45_qGsuAeqYi0qbStoQd3dWqkhOkBg3aiZjZKycQXTWGb-dBFSIG7xFZx2AhsEYBpTI9NzG3oRbYbJlV-CEuV2umFVdX77zZOdSvvdrRiMzN_XLw8ZWysLG5yAJiIkL-dprKhqTUbtUHw1jkq4VZc-iQUNvsOgw
.Token.access_token eyJhbGciOiJSUzI1NiIsImtpZCI6IkNGN0U3OUJEMjNENUFEQjdCQkFFNkM2Mzk3NjM0RTBBIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2NDA2NzA0NDUsImV4cCI6MTY0MDY3NDA0NSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMSIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0OjUwMDEvcmVzb3VyY2VzIiwiY2xpZW50X2lkIjoiQ29ycExlbnNlLkhSLldlYkNsaWVudCIsInN1YiI6IjQyZDY0ZDc0LTAwYzAtNDJhOS1iNTlhLTU1MmI3MDhjNDU3MSIsImF1dGhfdGltZSI6MTY0MDU5MDE0MywiaWRwIjoibG9jYWwiLCJqdGkiOiI5NTdFRURDNkNGQjI1RDRBODQ5QzBCNzVCMkNDQ0NDOSIsInNpZCI6IjQzODhBMzY0OTVFODEzMzczNDJBMDE4OTU4NUQxMDkxIiwiaWF0IjoxNjQwNTkwMTQzLCJzY29wZSI6WyJvcGVuaWQiLCJwcm9maWxlIiwiSHVtYW5SZXNvdXJjZUFwaSIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.kOipzf-kUNSviqgoRf8ieZtswAc6eBfMlkvuc44qNaKAzUIr8Bv4J6O0X455ctnh-jJrutvVkUsBu0SS-wBllAS7LUGh2aIhJV9qTgITxKvDchfHrzJnpyI3dGEbmUweC0pqvpzM_KDNKUG-GhafthehEz6V1SYq3DA2XPKevO4xuTAF9R9zl4KtgXVPZQba2A-3GZxOuL2WZhcxYV3Qm3kLQlHHxiriz5vQDIXTIYsmRdh791YDsjHr7lKIG9Vf8b2Mddivs8FFZerJAJzanzzZQ2wa0nJ4DpOQaasbBAf9NCltkUavHp7Q6x0KWPKAh5Nv--mF1A3VZOPjWvn3yg
默认情况下,只有这些声明从 ID 令牌传播到用户对象:
options.ClaimActions.MapUniqueJsonKey("sub", "sub");
options.ClaimActions.MapUniqueJsonKey("name", "name");
options.ClaimActions.MapUniqueJsonKey("given_name", "given_name");
options.ClaimActions.MapUniqueJsonKey("family_name", "family_name");
options.ClaimActions.MapUniqueJsonKey("profile", "profile");
options.ClaimActions.MapUniqueJsonKey("email", "email");
你可以找到来源here
要映射其他声明,我们必须使用以下方法手动映射它们:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
或
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce");
你能检查一下你是否注册了作用域吗?
new Client
{
ClientId = "service.client",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api1", "api2.read_only","otherclaims/scopes" }
}
多亏了Tore的帮助,我才意识到自己的无知。我完全没有意识到我们可以通过实施 IProfileService 来扩展 Identity Server。我能够通过实施 ProfileService 在 access_token 中添加自定义声明。