IdentityServer4:如何仅返回当前范围的声明

Question

我有一个客户端可以访问 2 个不同资源的 2 个范围。每个范围都有自己的声明。但是，我注意到来自两个范围的所有声明都被返回到每个资源。如何确保仅将与正确范围相关的声明返回到资源？

以下是我的启动资源中的内容:

//I use IdentityServer3.AccessTokenRequest since my resource is a .net app

public void Configuration(IAppBuilder app)
{
    app.UseIdentityServerBearerTokenAuthentication(new identityServerBearerTokenAuthenticationOptions
    {
        Authority = URLToIdentityServer,
        RequiredScopes = new[] { "SomeAPI.read" } //Notice this is scope we want claims for.
    });  

    //Some other stuff
}

这是我在身份服务器中的内容:

public static IEnumerable<Client> GetClients()
{
        return new List<Client>
        {
            new Client
            {
                ClientId = "ClientId",
                ClientName = "Client Name",
                ClientSecrets = new List<Secret> {new Secret("SuperSecret".Sha256())}, 
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                AllowedScopes = new List<string> {"SomeAPI.read", "OtherAPI.write"},  //Notice client has access to 2 scopes from 2 resources.
                Claims = claims
            }
        };
}

private static ICollection<Claim> claims = new List<Claim>
{
        new Claim("Claim1", "Value1"), //Belongs to scope "SomeAPI.read"
        new Claim("Claim2", "Value2"), //Belongs to scope "SomeAPI.read"
        new Claim("Claim3", "Value3"), //Belongs to scope "OtherAPI.write"
        new Claim("Claim4", "Value4"), //Belongs to scope "OtherAPI.write"
};

以防万一您想知道资源和范围是如何声明的:

public static IEnumerable<ApiResource> GetApiResources()
{
        return new List<ApiResource>
        {
            new ApiResource
            {
                Name = "SomeAPI",
                DisplayName = "Some API",
                Description = "This is the resource which we expect 2 claims for, but get 4",
                ApiSecrets = new List<Secret> {new Secret("ScopeSecret".Sha256())},
                Scopes = new List<Scope>
                {
                    new Scope("SomeAPI.read", readClaimTypes),
                },
                Enabled = true,
            },

            new ApiResource
            {
                Name = "OtherAPI",
                DisplayName = "Other API",
                Description = "Another API that also has a scope with 2 claims and we don't want to get these claims back in the resource they don't belong to",
                ApiSecrets = new List<Secret> {new Secret("SomeOtherSecret".Sha256())},
                Scopes = new List<Scope>
                {
                        new Scope("OtherAPI.write", writeClaimTypes)
                },
                Enabled = true,
            }
        };
}

private static IEnumerable<string> readClaimTypes = new List<string> {"claim1", "claim2"};
private static IEnumerable<string> writeClaimTypes = new List<string> {"claim3", "claim4"}; 
}

通过此配置，我希望我的资源仅获得前 2 项声明。但它得到了全部 4。任何帮助将不胜感激。

Answer 1

这种行为似乎是设计使然。如果你看一下documentation :

Claims: Allows settings claims for the client (will be included in the access token).

我尝试改变配置，但这并没有解决问题。我还使用 ProfileService 尝试了以下操作。 但这不是办法!

public class ProfileService : IProfileService
{
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        // DO NOT USE!!!
        if (context.Caller == "ClaimsProviderAccessToken")
        {
            var claims = context.Client.Claims
                         .Where(c => context.RequestedClaimTypes.Contains(c.Type)).ToList();

            // Replace the list. This overwrites the in memory collection!
            // This will eventually result in an empty list for all tokens.
            // The collection may not be altered!
            context.Client.Claims = claims;
        }
    }
}

改变行为的唯一方法是 dive into the code并在那里添加一个过滤器，而不更改集合。