我有一个IdentityServer4服务器设置和定义了一个单一的客户端这样:IdentityServer4附加client_权利要求
public static IEnumerable<Client> Get()
{
return new List<Client> {
new Client {
ClientId = "oauthClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {
new Secret("superSecretPassword".Sha256())},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"ControlCenter",
"CC.Send",
},
Claims = new List<System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("CEO","true"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
},
RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
}
};
}
我使用邮递员来测试这一点,我可以在/连接/令牌端点的令牌,但是当我通过该令牌进入/连接/反思端点它返回:
{
"nbf": 1505422619,
"exp": 1505426219,
"iss": "https://localhost:44357",
"aud": [
"https://localhost:44357/resources",
"ControlCenter"
],
"client_id": "oauthClient",
"client_CEO": "true",
"client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"CC.Send",
"CEO"
],
"scope": "CC.Send",
"active": true
}
这是造成我的麻烦,我已获得我的端点:
services.AddAuthorization(options =>
{
options.AddPolicy(
"CanSendiSuiteProfiles",
policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
});
由于首席执行官<> client_CEO,它返回了一个错误403.我可以简单地通过查找client_CEO来解决这个问题,但我更愿意了解client_是如何被附加到我的声明中的。