无法从Identity Server 4获得电子邮件用户声明
无法从Identity Server 4获得电子邮件用户声明
提问于 2022-09-07 21:04:32
我在我的微服务中使用Identity Server 4和Swagger来授权。因此,我在IS侧有这样的配置:
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>()
{
new ApiScope("PetAPI", "Pets WebAPI"),
new ApiScope("NotificationsAPI", "Notifications WebAPI"),
new ApiScope("ScheduleAPI","Schedule WebAPI")
};
public static IEnumerable<IdentityResource> IdentityResources =>
new List<IdentityResource>()
{
new IdentityResources.OpenId(),
new IdentityResources.Email(),
new IdentityResources.Profile()
};
public static IEnumerable<ApiResource> ApiResources =>
new List<ApiResource>()
{
new ApiResource("PetAPI"),
new ApiResource("NotificationsAPI"),
new ApiResource("ScheduleAPI")
};
public static IEnumerable<Client> Clients =>
new List<Client>()
{
new Client()
{
ClientId = "pmcs-client-id",
ClientSecrets = { new Secret("client_secret".ToSha256()) },
ClientName = "M2M Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"PetAPI",
"NotificationsAPI",
"ScheduleAPI"
}
},
new Client()
{
ClientId = "swagger-client-id",
ClientSecrets = { new Secret("client_secret".ToSha256()) },
ClientName = "Swagger Client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.Profile,
"PetAPI",
"NotificationsAPI",
"ScheduleAPI"
}
}
};以及微型服务端的配置:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.Authority = AuthConfiguration.Authority;
options.RequireHttpsMetadata = AuthConfiguration.RequireHttpsMetadata;
options.Audience = AuthConfiguration.Audience;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = AuthConfiguration.ValidateAudience,
};
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, config =>
{
config.Authority = AuthConfiguration.Authority;
config.ClientId = AuthConfiguration.SwaggerClientId;
config.ClientSecret = AuthConfiguration.ClientSecret;
config.SaveTokens = true;
config.ResponseType = "id_token";
config.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = AuthConfiguration.ValidateAudience
};
config.Scope.Add(AuthConfiguration.ScheduleScope);
config.Scope.Add("email");
config.Scope.Add("openid");
config.Scope.Add("profile");
config.GetClaimsFromUserInfoEndpoint = true;
config.ClaimActions.MapAll();
});我得到索赔的方法是:
var emailFromClaims = _context.HttpContext?.User?.FindFirst(ClaimTypes.Email)?.Value;我的Id令牌中似乎有这个声明,但它们没有映射到用户声明中。我真的不明白出了什么问题,如果有人能帮我找到解决办法,我会非常感激的。
链接到我遇到这个问题的请求:https://github.com/nantonov/PMCS/pull/58
回答 2
Stack Overflow用户
发布于 2022-09-08 05:19:44
默认情况下,只有少数声明映射到ClaimsPrincipal用户对象中。
您需要手动映射希望在user对象中结束的其余声明,使用:
.AddOpenIdConnect(options =>
{
...
options.ClaimActions.MapUniqueJsonKey("preferred_username", "preferred_username");
options.ClaimActions.MapUniqueJsonKey("email", "email");
});有关更多详细信息,请参阅https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims?view=aspnetcore-6.0。
Stack Overflow用户
发布于 2022-09-08 16:27:21
您正在尝试从JWT令牌访问标识资源声明,它们不会自动包括在内。
JWT令牌中只包含与API资源相关的声明。如果您还想包含电子邮件声明,则必须将其作为用户声明添加到API资源中。修改API资源定义如下:
new List<ApiResource>()
{
new ApiResource("PetAPI") {
UserClaims = { "email" }
},
new ApiResource("NotificationsAPI") {
UserClaims = { "email" }
},
new ApiResource("ScheduleAPI") {
UserClaims = { "email" }
}
};页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73641432
复制相关文章
相似问题
腾讯云开发者
