IdentityServer4 声明没有显示我给 IDS 服务器的任何声明
IdentityServer4 claims doesn't show any claims that I given to IDS server
我是新的 IdentityServer4。所以我创建了身份服务器项目和.net core 3 API。我已向客户提出索赔。但它没有显示在 IdentityServer MvC UI 中。即使我也没有收到任何错误。
这是我的身份服务器 StartUp.cs
namespace Marvin.IDP
{
public class Startup
{
public IWebHostEnvironment Environment { get; }
public Startup(IWebHostEnvironment environment)
{
Environment = environment;
}
public void ConfigureServices(IServiceCollection services)
{
// uncomment, if you want to add an MVC-based UI
services.AddControllersWithViews();
IdentityModelEventSource.ShowPII = true;
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
.AddTestUsers(TestUsers.Users);
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// uncomment if you want to add MVC
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
// uncomment, if you want to add MVC
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
}
这里是 IDS4 配置文件
public static class Config
{
public static IEnumerable<IdentityResource> Ids =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Address(),
new IdentityResource(
"roles",
"Your role(s)",
new List<string>() { "role" })
};
public static IEnumerable<ApiResource> Apis =>
new ApiResource[]
{
new ApiResource(
"imagegalleryapi",
"Image Gallery API",
new List<string>() { "role" })
};
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientName = "Image Gallery",
ClientId = "imagegalleryclient",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RedirectUris = new List<string>()
{
"https://localhost:44389/signin-oidc"
},
PostLogoutRedirectUris = new List<string>()
{
"https://localhost:44389/signout-callback-oidc"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Address,
"roles",
"imagegalleryapi"
},
ClientSecrets =
{
new Secret("secret".Sha256())
}
} };
}
这是我的 API 启动文件
public class Startup
{
public IConfiguration Configuration { get; }
public Startup(IConfiguration configuration)
{
Configuration = configuration;
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews()
.AddJsonOptions(opts => opts.JsonSerializerOptions.PropertyNamingPolicy = null);
services.AddHttpContextAccessor();
services.AddTransient<BearerTokenHandler>();
// create an HttpClient used for accessing the API
services.AddHttpClient("APIClient", client =>
{
client.BaseAddress = new Uri("https://localhost:44366/");
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
}).AddHttpMessageHandler<BearerTokenHandler>();
// create an HttpClient used for accessing the IDP
services.AddHttpClient("IDPClient", client =>
{
client.BaseAddress = new Uri("https://localhost:44318/");
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
});
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.AccessDeniedPath = "/Authorization/AccessDenied";
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = "https://localhost:44318/";
options.ClientId = "imagegalleryclient";
options.ResponseType = "code";
options.Scope.Add("address");
options.Scope.Add("roles");
options.Scope.Add("imagegalleryapi");
options.ClaimActions.DeleteClaim("sid");
options.ClaimActions.DeleteClaim("idp");
options.ClaimActions.DeleteClaim("s_hash");
options.ClaimActions.DeleteClaim("auth_time");
options.ClaimActions.MapUniqueJsonKey("role", "role");
options.SaveTokens = true;
options.ClientSecret = "secret";
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.GivenName,
RoleClaimType = JwtClaimTypes.Role
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseStaticFiles();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Shared/Error");
// The default HSTS value is 30 days. You may want to change this for
// production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Gallery}/{action=Index}/{id?}");
});
}
}
这里我添加MyTestUser
public class TestUsers
{
public static List<TestUser> Users = new List<TestUser>
{
new TestUser
{
SubjectId = "d860efca-22d9-47fd-8249-791ba61b07c7",
Username = "Frank",
Password = "password",
Claims = new List<Claim>
{
new Claim("given_name", "Frank"),
new Claim("family_name", "Underwood"),
new Claim("address", "Main Road 1"),
new Claim("role", "FreeUser")
}
},
new TestUser
{
SubjectId = "b7539694-97e7-4dfe-84da-b4256e1ff5c7",
Username = "Claire",
Password = "password",
Claims = new List<Claim>
{
new Claim("given_name", "Claire"),
new Claim("family_name", "Underwood"),
new Claim("address", "Big Street 2"),
new Claim("role", "PayingUser")
}
}
};
}
登录身份用户后,MVC UI 显示了这个
[![在此处输入图片描述][1]][1]
[1]: https://i.stack.imgur.com/ImtA0.png
当您使用授权代码流程(options.ResponseType = "代码";)登录时,这意味着必须有一个用户参与,并且roles 是一个 IdentityResource 作用域,这意味着只有当具有声明 role 的用户被添加到 IdentityServer 时才会包含它。
请将用户添加到 IdentityServer 以使其正常工作。
我是新的 IdentityServer4。所以我创建了身份服务器项目和.net core 3 API。我已向客户提出索赔。但它没有显示在 IdentityServer MvC UI 中。即使我也没有收到任何错误。
这是我的身份服务器 StartUp.cs
namespace Marvin.IDP
{
public class Startup
{
public IWebHostEnvironment Environment { get; }
public Startup(IWebHostEnvironment environment)
{
Environment = environment;
}
public void ConfigureServices(IServiceCollection services)
{
// uncomment, if you want to add an MVC-based UI
services.AddControllersWithViews();
IdentityModelEventSource.ShowPII = true;
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
.AddTestUsers(TestUsers.Users);
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// uncomment if you want to add MVC
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
// uncomment, if you want to add MVC
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
}
这里是 IDS4 配置文件
public static class Config
{
public static IEnumerable<IdentityResource> Ids =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Address(),
new IdentityResource(
"roles",
"Your role(s)",
new List<string>() { "role" })
};
public static IEnumerable<ApiResource> Apis =>
new ApiResource[]
{
new ApiResource(
"imagegalleryapi",
"Image Gallery API",
new List<string>() { "role" })
};
public static IEnumerable<Client> Clients =>
new Client[]
{
new Client
{
ClientName = "Image Gallery",
ClientId = "imagegalleryclient",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RedirectUris = new List<string>()
{
"https://localhost:44389/signin-oidc"
},
PostLogoutRedirectUris = new List<string>()
{
"https://localhost:44389/signout-callback-oidc"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Address,
"roles",
"imagegalleryapi"
},
ClientSecrets =
{
new Secret("secret".Sha256())
}
} };
}
这是我的 API 启动文件
public class Startup
{
public IConfiguration Configuration { get; }
public Startup(IConfiguration configuration)
{
Configuration = configuration;
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews()
.AddJsonOptions(opts => opts.JsonSerializerOptions.PropertyNamingPolicy = null);
services.AddHttpContextAccessor();
services.AddTransient<BearerTokenHandler>();
// create an HttpClient used for accessing the API
services.AddHttpClient("APIClient", client =>
{
client.BaseAddress = new Uri("https://localhost:44366/");
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
}).AddHttpMessageHandler<BearerTokenHandler>();
// create an HttpClient used for accessing the IDP
services.AddHttpClient("IDPClient", client =>
{
client.BaseAddress = new Uri("https://localhost:44318/");
client.DefaultRequestHeaders.Clear();
client.DefaultRequestHeaders.Add(HeaderNames.Accept, "application/json");
});
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.AccessDeniedPath = "/Authorization/AccessDenied";
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = "https://localhost:44318/";
options.ClientId = "imagegalleryclient";
options.ResponseType = "code";
options.Scope.Add("address");
options.Scope.Add("roles");
options.Scope.Add("imagegalleryapi");
options.ClaimActions.DeleteClaim("sid");
options.ClaimActions.DeleteClaim("idp");
options.ClaimActions.DeleteClaim("s_hash");
options.ClaimActions.DeleteClaim("auth_time");
options.ClaimActions.MapUniqueJsonKey("role", "role");
options.SaveTokens = true;
options.ClientSecret = "secret";
options.GetClaimsFromUserInfoEndpoint = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.GivenName,
RoleClaimType = JwtClaimTypes.Role
};
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseStaticFiles();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Shared/Error");
// The default HSTS value is 30 days. You may want to change this for
// production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Gallery}/{action=Index}/{id?}");
});
}
}
这里我添加MyTestUser
public class TestUsers
{
public static List<TestUser> Users = new List<TestUser>
{
new TestUser
{
SubjectId = "d860efca-22d9-47fd-8249-791ba61b07c7",
Username = "Frank",
Password = "password",
Claims = new List<Claim>
{
new Claim("given_name", "Frank"),
new Claim("family_name", "Underwood"),
new Claim("address", "Main Road 1"),
new Claim("role", "FreeUser")
}
},
new TestUser
{
SubjectId = "b7539694-97e7-4dfe-84da-b4256e1ff5c7",
Username = "Claire",
Password = "password",
Claims = new List<Claim>
{
new Claim("given_name", "Claire"),
new Claim("family_name", "Underwood"),
new Claim("address", "Big Street 2"),
new Claim("role", "PayingUser")
}
}
};
}
登录身份用户后,MVC UI 显示了这个
[![在此处输入图片描述][1]][1] [1]: https://i.stack.imgur.com/ImtA0.png
当您使用授权代码流程(options.ResponseType = "代码";)登录时,这意味着必须有一个用户参与,并且roles 是一个 IdentityResource 作用域,这意味着只有当具有声明 role 的用户被添加到 IdentityServer 时才会包含它。
请将用户添加到 IdentityServer 以使其正常工作。