1. 首页
  2. 问答
  3. IdentityServer4附加client_权利要求

IdentityServer4附加client_权利要求

2017-09-14 73 views
0

我有一个IdentityServer4服务器设置和定义了一个单一的客户端这样:IdentityServer4附加client_权利要求

public static IEnumerable<Client> Get() 
    { 
     return new List<Client> { 
      new Client { 
       ClientId = "oauthClient", 
       ClientName = "Example Client Credentials Client Application", 
       AllowedGrantTypes = GrantTypes.ClientCredentials, 
       ClientSecrets = new List<Secret> { 
        new Secret("superSecretPassword".Sha256())}, 
       AllowedScopes =  { 
        IdentityServerConstants.StandardScopes.OpenId, 
        IdentityServerConstants.StandardScopes.Profile, 
        IdentityServerConstants.StandardScopes.Email, 
        "role", 
        "ControlCenter", 
        "CC.Send", 
       }, 
       Claims = new List<System.Security.Claims.Claim> 
       { 
        new System.Security.Claims.Claim("CEO","true"), 
        new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"), 
        new System.Security.Claims.Claim(ClaimTypes.Role, "CEO") 
       }, 
       RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"}, 
       PostLogoutRedirectUris = new List<string> {"https://localhost:44345"} 
      } 
     }; 
    }

我使用邮递员来测试这一点,我可以在/连接/令牌端点的令牌,但是当我通过该令牌进入/连接/反思端点它返回:

{ 
    "nbf": 1505422619, 
    "exp": 1505426219, 
    "iss": "https://localhost:44357", 
    "aud": [ 
     "https://localhost:44357/resources", 
     "ControlCenter" 
    ], 
    "client_id": "oauthClient", 
    "client_CEO": "true", 
    "client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [ 
     "CC.Send", 
     "CEO" 
    ], 
    "scope": "CC.Send", 
    "active": true 
}

这是造成我的麻烦,我已获得我的端点:

 services.AddAuthorization(options => 
     { 
      options.AddPolicy(
       "CanSendiSuiteProfiles", 
       policyBuilder => policyBuilder.RequireClaim("CEO", "true")); 
     });

由于首席执行官<> client_CEO,它返回了一个错误403.我可以简单地通过查找client_CEO来解决这个问题,但我更愿意了解client_是如何被附加到我的声明中的。

来源

2017-09-14 David Jacobsen

回答

2

这些会自动添加IdentityServer4的前缀,但您可以使用PrefixClientClaims = false(客户端上的布尔属性)关闭前缀。

下面是从DefaultClaimService在IdentityServer4的源代码: https://github.com/IdentityServer/IdentityServer4/blob/295026919db5bec1b0c8f36fc89e8aeb4b5a0e3f/src/IdentityServer4/Services/DefaultClaimsService.cs

if (request.Client.PrefixClientClaims) 
{ 
    claimType = "client_" + claimType; 
}

UPDATE: 从IdentityServer4 V.2以上,财产bool PrefixClientClaims通过属性string ClientClaimsPrefix它允许配置该替换您选择的前缀。

if (request.Client.ClientClaimsPrefix.IsPresent()) 
{ 
    claimType = request.Client.ClientClaimsPrefix + claimType; 
}

来源

2017-09-15 02:23:19

相关问题

 相关问题