身份服务器 4 在不使用配置文件的情况下获取电子邮件声明
identity server 4 get email claim without using Profile
如何在不包含 "Profile" 身份资源的情况下配置 Identity Server Core 以在混合流中传递用户电子邮件?
我希望我的服务器知道关于用户的尽可能少的信息,所以我只需要用户的电子邮件来创建帐户。我的同意只是要求用户授权 id 和 email 都需要。
我正在使用 entity framework Stores 来保存数据 + Asp.net Core Identity 用于用户管理。我从下面显示的配置中填充数据库。
这是我到目前为止所做的,但我没有收到用户电子邮件的索赔。不过我收到了 "sid"。
public class Config
{
// scopes define the resources in your system
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Email
{
Required = true
}
};
}
// clients want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
new Client
{
ClientId = "MyClient",
ClientName = "MyClient",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:27919/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:27919" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email
},
AllowOfflineAccess = true
}
};
}
}
我在客户端做的是:
// middleware for external openid connect authentication
var options = new OpenIdConnectOptions
{
SignInScheme = "Identity.External",
SignOutScheme = "Identity",
DisplayName = "MyClient",
Authority = Constants.AuthServer.BaseUrl,
ClientId = "MyClient",
ClientSecret = "secret",
ResponseType = "code id_token",
//Scopes are entered below, outside this constructor
GetClaimsFromUserInfoEndpoint = true,
RequireHttpsMetadata = false //TODO: make true, it is false for development only
};
//Adding Scopes
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("email");
app.UseOpenIdConnectAuthentication(options);
我发现在对应于 Asp.net 身份的帐户控制器中,必须在创建用户时创建电子邮件声明,因此添加:
user.Claims.Add(new IdentityUserClaim<string>
{
ClaimType = "email",
ClaimValue = model.Email
});
在每个用户创建之后:
var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
好的,这是一个老问题,但我搜索了很长时间来解决我的类似问题。
目标是在 IdentityServer4 的 Config.cs 中将 AlwaysIncludeUserClaimsInIdToken=true 设置为 true。然后你在索赔中得到 prefered_username 和 name。
new Client
{
AlwaysIncludeUserClaimsInIdToken=true,
ClientId = "MyID",
ClientSecrets = {new Secret("MySecret".Sha256())},
AllowedGrantTypes = GrantTypes.Code,
// where to redirect to after login
RedirectUris = { "https://localhost:5001/signin-oidc", "https://app.gform.de/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5001/signout-callback-oidc","https://app.gform.de/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string> {
"openid",
"profile",
"api1"
}
}
如何在不包含 "Profile" 身份资源的情况下配置 Identity Server Core 以在混合流中传递用户电子邮件?
我希望我的服务器知道关于用户的尽可能少的信息,所以我只需要用户的电子邮件来创建帐户。我的同意只是要求用户授权 id 和 email 都需要。
我正在使用 entity framework Stores 来保存数据 + Asp.net Core Identity 用于用户管理。我从下面显示的配置中填充数据库。
这是我到目前为止所做的,但我没有收到用户电子邮件的索赔。不过我收到了 "sid"。
public class Config
{
// scopes define the resources in your system
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Email
{
Required = true
}
};
}
// clients want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
new Client
{
ClientId = "MyClient",
ClientName = "MyClient",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:27919/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:27919" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email
},
AllowOfflineAccess = true
}
};
}
}
我在客户端做的是:
// middleware for external openid connect authentication
var options = new OpenIdConnectOptions
{
SignInScheme = "Identity.External",
SignOutScheme = "Identity",
DisplayName = "MyClient",
Authority = Constants.AuthServer.BaseUrl,
ClientId = "MyClient",
ClientSecret = "secret",
ResponseType = "code id_token",
//Scopes are entered below, outside this constructor
GetClaimsFromUserInfoEndpoint = true,
RequireHttpsMetadata = false //TODO: make true, it is false for development only
};
//Adding Scopes
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("email");
app.UseOpenIdConnectAuthentication(options);
我发现在对应于 Asp.net 身份的帐户控制器中,必须在创建用户时创建电子邮件声明,因此添加:
user.Claims.Add(new IdentityUserClaim<string>
{
ClaimType = "email",
ClaimValue = model.Email
});
在每个用户创建之后:
var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
好的,这是一个老问题,但我搜索了很长时间来解决我的类似问题。
目标是在 IdentityServer4 的 Config.cs 中将 AlwaysIncludeUserClaimsInIdToken=true 设置为 true。然后你在索赔中得到 prefered_username 和 name。
new Client
{
AlwaysIncludeUserClaimsInIdToken=true,
ClientId = "MyID",
ClientSecrets = {new Secret("MySecret".Sha256())},
AllowedGrantTypes = GrantTypes.Code,
// where to redirect to after login
RedirectUris = { "https://localhost:5001/signin-oidc", "https://app.gform.de/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5001/signout-callback-oidc","https://app.gform.de/signout-callback-oidc" },
AllowOfflineAccess = true,
AllowedScopes = new List<string> {
"openid",
"profile",
"api1"
}
}