角色不被使用AddJWTBearer填充IdentityServer4和dotnetcore 2.0
问题描述:
我使用这些组件与下面配置:角色不被使用AddJWTBearer填充IdentityServer4和dotnetcore 2.0
- IdentityServer4" 版本= “2.0.0-RC1
- IdentityServer4.AspNetIdentity” 版本=” 2.0.0-RC1
我在connect/token
令牌请求给我一个正确的承载令牌,当我打电话使用[Authorize(JwtBearerDefaults.AuthenticationScheme)]
与令牌的方法,授权似乎正常工作。
但是,角色是空的还是空的?
如何获取令牌请求以包含必要的ASPNET角色?
随着下列配置
services.AddAuthentication()
.AddOpenIdConnect(
o =>
{
o.Authority = "https://localhost:44319";
o.ClientId = "api";
o.ClientSecret = "secret";
o.RequireHttpsMetadata = false;
o.GetClaimsFromUserInfoEndpoint = true;
o.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role
};
})
.AddJwtBearer(o =>
{
o.Authority = "https://localhost:44319";
o.Audience = "api";
o.RequireHttpsMetadata = false;
o.TokenValidationParameters = new TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role
};
o.SaveToken = true;
});
services.AddMemoryCache();
services.AddIdentity<ApplicationUser, ApplicationRole>(
x =>
{
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<FormWorkxContext>()
.AddDefaultTokenProviders()
.AddIdentityServer();
services.ConfigureApplicationCookie(options =>
{
options.LoginPath = "/login";
options.LogoutPath = "/logout";
options.Events.OnRedirectToLogin = this.ProcessStatusCodeResponse;
});
services.AddIdentityServer()
// .AddSigningCredential("CN=rizacert")
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApis())
.AddInMemoryClients(Config.GetClients())
.AddAspNetIdentity<ApplicationUser>();
和config.cs
private const string Api = "api";
private const string ClientSecret = "secret";
public static IEnumerable<ApiResource> GetApis()
{
return new List<ApiResource>
{
new ApiResource(Api, "formworkx api")
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "api",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
RequireConsent = false,
ClientSecrets = { new Secret(ClientSecret.Sha256()) },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.OfflineAccess,
"api"
}
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
}
答
根据权利要求类型需要在ApiResource要被请求。
public static IEnumerable<ApiResource> GetApis()
{
return new List<ApiResource>
{
new ApiResource(
Api,
"formworkx api",
new[]
{
// exhaustive list of claims in a new
// dotnetcore 2.0 MVC application.
"nbf",
"exp",
"iss",
"aud",
"aud",
"client_id",
"sub",
"auth_time",
"idp",
"AspNet.Identity.SecurityStamp",
ClaimTypes.Role, // REQUESTED HERE
"preferred_username",
"name",
"email",
"email_verified",
"scope",
"amr"
})
};
}
此外,角色类型需要是正确的。
services.AddIdentity<ApplicationUser, ApplicationRole>(
x =>
{
x.Password.RequireNonAlphanumeric = false;
x.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<FormWorkxContext>()
.AddDefaultTokenProviders()
.AddIdentityServer();
// NB (hours of debugging..., AddIdentityServer uses "role")
services.Configure<IdentityOptions>(options =>
options.ClaimsIdentity.RoleClaimType = ClaimTypes.Role);