从 IProfileService 设置的附加声明在 MVC 客户端的 OpenIdConnect 处理程序中不可用
Additional claims set from IProfileService not available in MVC client's OpenIdConnect handler
我在 .NET Core 上使用 Identity Server 4 运行 和 .NET Framework v4.6.2 MVC 应用程序。我使用配置文件服务来设置身份服务器的其他声明:
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
if (context.Caller.Equals("ClaimsProviderAccessToken") || context.Caller.Equals("ClaimsProviderIdentityToken"))
{
foreach (var group in groups)
{
// Custom logic to add additional claims.
context.IssuedClaims.Add(new Claim(ClaimTypes.Role, groupName));
}
}
}
public Task IsActiveAsync(IsActiveContext context)
{
return Task.CompletedTask;
}
当我尝试使用 .NET Core MVC 客户端时,客户端可以使用此处设置的附加声明。但是,对于 ASP.NET Framework 中的 MVC 客户端 运行,这些声明在 context.AuthenticationTicket.Identity.Claims 中不可用。但是当我检查来自 context.ProtocolMessage.AccessToken.
的访问令牌时,声明就在那里
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = new TimeSpan(0, Configuration.SessionTimeoutInMinutes, 0),
SlidingExpiration = true,
CookieSameSite = Microsoft.Owin.SameSiteMode.None,
CookieSecure = CookieSecureOption.Always
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
ResponseType = "id_token token",
Scope = "openid profile roles api",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
// The claims are not available here.
foreach (var claim in context.AuthenticationTicket.Identity.Claims.Where(x => x.Type == JwtClaimTypes.Role).ToList())
{
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, claim.Value));
}
// But, the claims are available in the access token.
context.Response.Cookies.Append("access-token", context.ProtocolMessage.AccessToken, new Microsoft.Owin.CookieOptions() { SameSite = Microsoft.Owin.SameSiteMode.None, Secure = true });
return Task.FromResult(0);
},
}
});
这里出了什么问题?如果我需要 post 更多代码,请告诉我。
在 Identity Server 中注册 MVC 客户端时使用 AlwaysIncludeUserClaimsInIdToken = true。
我在 .NET Core 上使用 Identity Server 4 运行 和 .NET Framework v4.6.2 MVC 应用程序。我使用配置文件服务来设置身份服务器的其他声明:
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
if (context.Caller.Equals("ClaimsProviderAccessToken") || context.Caller.Equals("ClaimsProviderIdentityToken"))
{
foreach (var group in groups)
{
// Custom logic to add additional claims.
context.IssuedClaims.Add(new Claim(ClaimTypes.Role, groupName));
}
}
}
public Task IsActiveAsync(IsActiveContext context)
{
return Task.CompletedTask;
}
当我尝试使用 .NET Core MVC 客户端时,客户端可以使用此处设置的附加声明。但是,对于 ASP.NET Framework 中的 MVC 客户端 运行,这些声明在 context.AuthenticationTicket.Identity.Claims 中不可用。但是当我检查来自 context.ProtocolMessage.AccessToken.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
ExpireTimeSpan = new TimeSpan(0, Configuration.SessionTimeoutInMinutes, 0),
SlidingExpiration = true,
CookieSameSite = Microsoft.Owin.SameSiteMode.None,
CookieSecure = CookieSecureOption.Always
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
PostLogoutRedirectUri = redirectUri,
ResponseType = "id_token token",
Scope = "openid profile roles api",
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = (context) =>
{
// The claims are not available here.
foreach (var claim in context.AuthenticationTicket.Identity.Claims.Where(x => x.Type == JwtClaimTypes.Role).ToList())
{
context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, claim.Value));
}
// But, the claims are available in the access token.
context.Response.Cookies.Append("access-token", context.ProtocolMessage.AccessToken, new Microsoft.Owin.CookieOptions() { SameSite = Microsoft.Owin.SameSiteMode.None, Secure = true });
return Task.FromResult(0);
},
}
});
这里出了什么问题?如果我需要 post 更多代码,请告诉我。
在 Identity Server 中注册 MVC 客户端时使用 AlwaysIncludeUserClaimsInIdToken = true。