.net core IdentityServer 4将客户端添加到索赔
我有一个IdentityServer4服务器设置,并定义了一个这样的客户端:.net core IdentityServer 4将客户端添加到索赔,.net-core,identityserver4,.net Core,Identityserver4,我有一个IdentityServer4服务器设置,并定义了一个这样的客户端: public static IEnumerable<Client> Get() { return new List<Client> { new Client { ClientId = "oauthClient", ClientName = "Example Client Cre
public static IEnumerable<Client> Get()
{
return new List<Client> {
new Client {
ClientId = "oauthClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {
new Secret("superSecretPassword".Sha256())},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"ControlCenter",
"CC.Send",
},
Claims = new List<System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("CEO","true"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
},
RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
}
};
}
这给我带来了麻烦,因为我用以下方法保护了我的端点:
services.AddAuthorization(options =>
{
options.AddPolicy(
"CanSendiSuiteProfiles",
policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
});
由于CEO客户的原因,它返回了一个错误403。我可以通过寻找客户首席执行官来解决这一问题,但我更愿意了解客户是如何在我的声明前加上前缀的。这些前缀由IdentityServer4自动加上前缀,但您可以使用
PrefixClientClaims=false
(客户机上的布尔属性)来关闭前缀
以下是IdentityServer4中DefaultClaimService的源代码:
更新:
从IdentityServer4 v.2及更高版本中,属性bool PrefixClientClaims
被属性字符串ClientClaimsPrefix
替换,该属性允许您配置所选前缀
if (request.Client.ClientClaimsPrefix.IsPresent())
{
claimType = request.Client.ClientClaimsPrefix + claimType;
}
if (request.Client.PrefixClientClaims)
{
claimType = "client_" + claimType;
}
if (request.Client.ClientClaimsPrefix.IsPresent())
{
claimType = request.Client.ClientClaimsPrefix + claimType;
}