如何为 IdentityServer3 创建附加参数 grant_type:password
How to create additional parameters for IdentityServer3 grant_type:password
我启动了 IdentityServer3 并使用 AspNetIdentity 和 IdentityManager。我已经根据资源所有者流程示例创建了一个 JS 客户端。我的 AspNetIdentity 实现是以用户存储有一个组织的外键 table 的方式定制的。组织 table 充当租户 table 因为我们的 IdentityServer 和 WebApi 将是多租户的。当用户登录时,我需要将指定用户租户 ID 的附加参数传递到请求中。获得租户 ID 后,我将覆盖 AuthenticateLocalAsync 以查找用户的租户信息。
我坚持在 grant_type:password 上传递额外的租户 ID 或其他参数。我尝试传入 act_values 数组,但我不确定我是否以正确的方式进行所有操作。
任何关于范围、声明、角色等的良好解释的附加信息都会有很大帮助,因为它仍然很模糊。
这里是idsvr上的客户端
new Client
{
ClientId = "tleweb",
ClientName = "TLE Web Client",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
Enabled = true,
Flow = Flows.ResourceOwner,
RequireConsent = false,
AllowRememberConsent = true,
RedirectUris = new List<string>(){ "https://localhost:13048/account/signInCallback"},
PostLogoutRedirectUris = new List<string>(){ "https://localhost:13048/"},
AllowedScopes = new List<string>()
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
"read",
"write",
"tenant_id"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:13048"
},
AccessTokenType=AccessTokenType.Jwt,
AccessTokenLifetime = 3600,
AbsoluteRefreshTokenLifetime = 86400,
SlidingRefreshTokenLifetime = 43200,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding
}
这里是js客户端代码
function getToken() {
var uid = document.getElementById("username").value;
var pwd = document.getElementById("password").value;
var xhr = new XMLHttpRequest();
xhr.onload = function (e) {
console.log(xhr.status);
console.log(xhr.response);
var response_data = JSON.parse(xhr.response);
if (xhr.status === 200 && response_data.access_token) {
token = response_data.access_token;
}
showToken(response_data);
}
xhr.open("POST", tokenUrl);
var data = {
username: uid,
password: pwd,
acr_values: ["1"],
grant_type: "password",
scope: "openid profile read write tenant_id"
};
var body = "";
for (var key in data) {
if (body.length) {
body += "&";
}
body += key + "=";
body += encodeURIComponent(data[key]);
}
xhr.setRequestHeader("Authorization", "Basic " + btoa(client_id + ":" + client_secret));
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(body);
}
找到了!在请求中使用 acr_values 参数
https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
我启动了 IdentityServer3 并使用 AspNetIdentity 和 IdentityManager。我已经根据资源所有者流程示例创建了一个 JS 客户端。我的 AspNetIdentity 实现是以用户存储有一个组织的外键 table 的方式定制的。组织 table 充当租户 table 因为我们的 IdentityServer 和 WebApi 将是多租户的。当用户登录时,我需要将指定用户租户 ID 的附加参数传递到请求中。获得租户 ID 后,我将覆盖 AuthenticateLocalAsync 以查找用户的租户信息。
我坚持在 grant_type:password 上传递额外的租户 ID 或其他参数。我尝试传入 act_values 数组,但我不确定我是否以正确的方式进行所有操作。
任何关于范围、声明、角色等的良好解释的附加信息都会有很大帮助,因为它仍然很模糊。
这里是idsvr上的客户端
new Client
{
ClientId = "tleweb",
ClientName = "TLE Web Client",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
Enabled = true,
Flow = Flows.ResourceOwner,
RequireConsent = false,
AllowRememberConsent = true,
RedirectUris = new List<string>(){ "https://localhost:13048/account/signInCallback"},
PostLogoutRedirectUris = new List<string>(){ "https://localhost:13048/"},
AllowedScopes = new List<string>()
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
"read",
"write",
"tenant_id"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:13048"
},
AccessTokenType=AccessTokenType.Jwt,
AccessTokenLifetime = 3600,
AbsoluteRefreshTokenLifetime = 86400,
SlidingRefreshTokenLifetime = 43200,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding
}
这里是js客户端代码
function getToken() {
var uid = document.getElementById("username").value;
var pwd = document.getElementById("password").value;
var xhr = new XMLHttpRequest();
xhr.onload = function (e) {
console.log(xhr.status);
console.log(xhr.response);
var response_data = JSON.parse(xhr.response);
if (xhr.status === 200 && response_data.access_token) {
token = response_data.access_token;
}
showToken(response_data);
}
xhr.open("POST", tokenUrl);
var data = {
username: uid,
password: pwd,
acr_values: ["1"],
grant_type: "password",
scope: "openid profile read write tenant_id"
};
var body = "";
for (var key in data) {
if (body.length) {
body += "&";
}
body += key + "=";
body += encodeURIComponent(data[key]);
}
xhr.setRequestHeader("Authorization", "Basic " + btoa(client_id + ":" + client_secret));
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(body);
}
找到了!在请求中使用 acr_values 参数
https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html