我有一个 IdentityServer4 服务器设置,并定义了一个客户端:
public static IEnumerable<Client> Get()
{
return new List<Client> {
new Client {
ClientId = "oauthClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {
new Secret("superSecretPassword".Sha256())},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"ControlCenter",
"CC.Send",
},
Claims = new List<System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("CEO","true"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
},
RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
}
};
}
我正在使用 postman 来测试这个,我可以在/connect/token 端点获得一个 token ,但是当我将该 token 传递到/connect/introspect 端点时,它正在返回:
{
"nbf": 1505422619,
"exp": 1505426219,
"iss": "https://localhost:44357",
"aud": [
"https://localhost:44357/resources",
"ControlCenter"
],
"client_id": "oauthClient",
"client_CEO": "true",
"client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"CC.Send",
"CEO"
],
"scope": "CC.Send",
"active": true
}
这给我带来了麻烦,因为我通过以下方式保护了我的端点:
services.AddAuthorization(options =>
{
options.AddPolicy(
"CanSendiSuiteProfiles",
policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
});
并且由于 CEO <> client_CEO,它返回了错误 403。我可以通过查找 client_CEO 来解决这个问题,但我更愿意了解 client_ 是如何添加到我的声明中的。
最佳答案
这些会自动以 IdentityServer4 为前缀,但您可以使用 PrefixClientClaims = false
关闭前缀。 (客户端的 bool 属性)。
以下是 IdentityServer4 中 DefaultClaimService 的源代码:
https://github.com/IdentityServer/IdentityServer4/blob/295026919db5bec1b0c8f36fc89e8aeb4b5a0e3f/src/IdentityServer4/Services/DefaultClaimsService.cs
if (request.Client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
更新:
从 IdentityServer4 v.2 及更高版本开始,属性
bool PrefixClientClaims
已被属性 string ClientClaimsPrefix
取代它允许您配置您选择的前缀。if (request.Client.ClientClaimsPrefix.IsPresent())
{
claimType = request.Client.ClientClaimsPrefix + claimType;
}
关于.net-core - IdentityServer4 将 client_ 附加到声明,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46228194/