identityserver4 - 添加了自定义声明,显示在访问令牌中缺少的 ID 令牌中
问题描述
我有一个 .NET Core 身份提供程序(也使用 IdentityServer4),它使用 Azure AD 对 SPA 应用程序进行身份验证。我正在使用从 Azure 收到的对象标识符值添加“oid”声明。问题是从 SPA 应用程序中,我可以在 ID 令牌中看到“oid”声明,但在访问令牌中看不到它。我也需要访问令牌中的 oid。以下是相关代码:
启动.cs
services.AddAuthentication()
.AddCookie("Cookies", options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
})
.AddOpenIdConnect(ActiveDirectoryTenants.TenantA, ActiveDirectoryTenants.TenantA, options => Configuration.Bind("TenantAAzureAd", options))
.AddOpenIdConnect(ActiveDirectoryTenants.TenantB, ActiveDirectoryTenants.TenantB, options => Configuration.Bind("TenantBAzureAd", options));
AddActiveDirectoryOpenIdConnectOptions(services, ActiveDirectoryTenants.TenantA);
AddActiveDirectoryOpenIdConnectOptions(services, ActiveDirectoryTenants.TenantB);
我有一个通用功能可以为这些配置添加其他选项。我尝试在 OnTokenValidated 中添加 oid 声明,但未在访问令牌中收到 oid 声明。
protected virtual void AddActiveDirectoryOpenIdConnectOptions(IServiceCollection services, string tenant)
{
services.Configure<OpenIdConnectOptions>(tenant, options =>
{
options.Authority = options.Authority + "/v2.0/";
options.TokenValidationParameters.ValidateIssuer = false;
options.Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = ctx =>
{
ctx.ProtocolMessage.LoginHint = ctx.Properties.GetString("username");
return Task.CompletedTask;
},
OnTokenValidated = ctx =>
{
//Maybe need to add oid here???
}
};
});
}
成功登录 Azure AD 后正在添加 oid 声明。
AccountController.cs
public async Task<IActionResult> ExternalLoginCallback(string returnUrl, string remoteError = null, string openIdScheme = null)
{
var authResult = await HttpContext.AuthenticateAsync(openIdScheme ?? ActiveDirectoryTenants.TenantA);
var externalUser = authResult.Principal;
var claims = externalUser.Claims.ToList();
var applicationUser = //gets the user based on the email found in claims, omitted for brevity
await userManager.AddClaimAsync(applicationUser, new Claim("oid", claims.First(x => x.Type == http://schemas.microsoft.com/identity/claims/objectidentifier).Value));
await signInManager.SignInAsync(applicationUser, false, "AzureAD");
return Redirect("~/");
}
在 SPA 应用程序中收到的 ID 令牌(注意 oid 声明):
{
"nbf": xxx,
"exp": xxx,
"iss": "https://localhost:3000",
"aud": "xxx-spa-test",
"iat": xxx,
"at_hash": "",
"s_hash": "",
"sid": "",
"sub": "guid",
"auth_time": 1620026953,
"idp": "AzureAD",
"display_name": "Test User",
"oid": "guid",
"role": [
"Staff",
],
"name": "test@azureaddomain",
"amr": [
"external"
]
}
在 SPA 应用程序中收到的访问令牌(注意缺少的 oid 声明):
{
"nbf": xxx,
"exp": xxx,
"iss": "https://localhost:3000",
"aud": [
"https://localhost:3000/resources",
"xxx-api-test-scope"
],
"client_id": "xxx-spa-test",
"sub": "guid",
"auth_time": 1620026953,
"idp": "AzureAD",
"role": [
"Staff",
],
"name": "test@azureaddomain",
"scope": [
"openid",
"profile",
"xxx-api-test-scope"
],
"amr": [
"external"
]
}
解决方案
要使声明最终出现在访问令牌中,您需要添加一个 ApiScope 并向其添加 Userclaim 名称。或者,添加一个 ApiScope 和一个包含 UserClaim 的 ApiResource。
喜欢
var apiresource1 = new ApiResource()
{
Name = "apiresource1", //This is the name of the API
ApiSecrets = new List<Secret>
{
new Secret("myapisecret".Sha256())
},
Description = "This is the order Api-resource description",
Enabled = true,
DisplayName = "Orders API Service",
Scopes = new List<string> { "apiscope1"},
UserClaims = new List<string>
{
//Custom user claims that should be provided when requesting access to this API.
//These claims will be added to the access token, not the ID-token!
"apiresource1-userclaim3",
}
};
请参阅我的答案以获取更多详细信息
推荐阅读
- git - Ubuntu 20 上的 SSH 密钥不适用于任何 Git Repo
- azure-devops - Azure 管道,多阶段 YAML 管道,在构建服务器上使用相同的工作目录。怎么不腐败
- r - 在带有表格的r中使用“for”循环
- fullcalendar - 单击事件时出现 FullCallendar 刷新页面的问题
- excel - Excel VBA:对于每一行,生成新工作表并将行复制到新工作表
- python - 如何在表格中添加自动编号列?
- powerbi - 为什么我的条件格式在 PowerBI 中无法正常工作?
- mysql - MySQL 通过灵活的列数对未知数量的 ID 行求和和分组
- wix - 使用 Wix 工具集,MajorUpgrade 是否可以设置最低版本
- linux - 如何使用 'sed' 从 txt 读取一行?