我有一个客户端可以访问 2 个不同资源的 2 个范围。每个范围都有自己的声明。但是,我注意到来自两个范围的所有声明都被返回到每个资源。如何确保仅将与正确范围相关的声明返回到资源?
以下是我的启动资源中的内容:
//I use IdentityServer3.AccessTokenRequest since my resource is a .net app
public void Configuration(IAppBuilder app)
{
app.UseIdentityServerBearerTokenAuthentication(new identityServerBearerTokenAuthenticationOptions
{
Authority = URLToIdentityServer,
RequiredScopes = new[] { "SomeAPI.read" } //Notice this is scope we want claims for.
});
//Some other stuff
}
这是我在身份服务器中的内容:
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "ClientId",
ClientName = "Client Name",
ClientSecrets = new List<Secret> {new Secret("SuperSecret".Sha256())},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = new List<string> {"SomeAPI.read", "OtherAPI.write"}, //Notice client has access to 2 scopes from 2 resources.
Claims = claims
}
};
}
private static ICollection<Claim> claims = new List<Claim>
{
new Claim("Claim1", "Value1"), //Belongs to scope "SomeAPI.read"
new Claim("Claim2", "Value2"), //Belongs to scope "SomeAPI.read"
new Claim("Claim3", "Value3"), //Belongs to scope "OtherAPI.write"
new Claim("Claim4", "Value4"), //Belongs to scope "OtherAPI.write"
};
以防万一您想知道资源和范围是如何声明的:
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource
{
Name = "SomeAPI",
DisplayName = "Some API",
Description = "This is the resource which we expect 2 claims for, but get 4",
ApiSecrets = new List<Secret> {new Secret("ScopeSecret".Sha256())},
Scopes = new List<Scope>
{
new Scope("SomeAPI.read", readClaimTypes),
},
Enabled = true,
},
new ApiResource
{
Name = "OtherAPI",
DisplayName = "Other API",
Description = "Another API that also has a scope with 2 claims and we don't want to get these claims back in the resource they don't belong to",
ApiSecrets = new List<Secret> {new Secret("SomeOtherSecret".Sha256())},
Scopes = new List<Scope>
{
new Scope("OtherAPI.write", writeClaimTypes)
},
Enabled = true,
}
};
}
private static IEnumerable<string> readClaimTypes = new List<string> {"claim1", "claim2"};
private static IEnumerable<string> writeClaimTypes = new List<string> {"claim3", "claim4"};
}
通过此配置,我希望我的资源仅获得前 2 项声明。但它得到了全部 4。任何帮助将不胜感激。
最佳答案
这种行为似乎是设计使然。如果你看一下documentation :
Claims: Allows settings claims for the client (will be included in the access token).
我尝试改变配置,但这并没有解决问题。我还使用 ProfileService 尝试了以下操作。 但这不是办法!
public class ProfileService : IProfileService
{
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
// DO NOT USE!!!
if (context.Caller == "ClaimsProviderAccessToken")
{
var claims = context.Client.Claims
.Where(c => context.RequestedClaimTypes.Contains(c.Type)).ToList();
// Replace the list. This overwrites the in memory collection!
// This will eventually result in an empty list for all tokens.
// The collection may not be altered!
context.Client.Claims = claims;
}
}
}
改变行为的唯一方法是 dive into the code并在那里添加一个过滤器,而不更改集合。
关于IdentityServer4:如何仅返回当前范围的声明,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49180502/