asp.net-core-2.0 - IdentityServer 4 - 缺少用户角色

Question

在我的客户端中，我进行了以下设置。

services.AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        //options.DefaultSignInScheme = "Cookies",
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.Authority = "...";
        options.ClientId = "...";
        options.SaveTokens = true;
        options.ClientSecret = "secret";
        options.SignInScheme = "Cookies";
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("roles");
        options.ResponseType = "code id_token";
        options.GetClaimsFromUserInfoEndpoint = true;
        options.Events = new OpenIdConnectEvents()
        {
            OnTokenValidated = tokenValidatedContext =>
            {
                var identity = tokenValidatedContext.Principal.Identity
                    as ClaimsIdentity;

                var targetClaims = identity.Claims.Where(z =>
                    new[] {"sub"}.Contains(z.Type));

                var newClaimsIdentity = new ClaimsIdentity(
                    targetClaims,
                    identity.AuthenticationType,
                    "given_name",
                    "role");

                tokenValidatedContext.Principal =
                    new ClaimsPrincipal(newClaimsIdentity);

                return Task.CompletedTask;
            },
            OnUserInformationReceived = userInformationReceivedContext =>
            {
                return Task.FromResult(0);
            }
        };
    });

我的 IdentityServer 级别的客户端定义如下。

new Client()
{
    ClientName = "My App",
    ClientId = "mymagicapp",
    AllowedGrantTypes = GrantTypes.Hybrid,
    RedirectUris = new List<string>()
    {
        "https://..."
    },
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "roles"
    },
    ClientSecrets = { new Secret("secret".Sha256()) },
    PostLogoutRedirectUris =
    {
        "https://..."
    }
}

新的“角色”范围添加如下。

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>()
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
        new IdentityResource("roles", "Your role(s)", new List<string>(){"role"})
    };
}

用户定义如下。

new TestUser()
{
    SubjectId = "abcdef",
    Username = "Jane",
    Password = "password",
    Claims = new List<Claim>()
    {
        new Claim("given_name", "Jane"),
        new Claim("family_name", "Doe"),
        new Claim("role", "FreeUser")
    }
}

登录到我的 MVC 客户端后，在 Controller 中，User.Claims 对象不包含 role 声明。

但是，在 OnUserInformationReceived 中，userInformationReceivedContext 的 User 对象确实包含角色 声明。

我错过了什么？

Answer 1

基于

• Missing Claims in the ASP.NET Core 2 OpenID Connect Handler?

• OIDC, I cannot add extra claims from userinfo endpoint

解决方案是添加 options.ClaimActions.MapJsonKey("role", "role");里面.AddOpenIdConnect(options => ...)

来自第二个链接:

2.0 no longer adds all possible information from the user-info endpoint, it was causing major cookie bloat leading to login issues. There is now a system called ClaimActions where you can select which elements you want to map from the user info doc to claims. See OpenIdConnectOptions.ClaimActions.