Asp.net core 2.0 使用Identity Server 4获取Windows/Active Directory组作为角色声明
根据GitHub上的UI示例项目说明,我已经获得了一个基本的Identity Server设置。我已经将其设置为在我们的网站广告中使用Windows身份验证。这非常有效 我的问题是将用户广告组添加到声明中。根据示例项目,我启用了Asp.net core 2.0 使用Identity Server 4获取Windows/Active Directory组作为角色声明,asp.net-core-2.0,identityserver4,Asp.net Core 2.0,Identityserver4,根据GitHub上的UI示例项目说明,我已经获得了一个基本的Identity Server设置。我已经将其设置为在我们的网站广告中使用Windows身份验证。这非常有效 我的问题是将用户广告组添加到声明中。根据示例项目,我启用了includeindowsgroups选项。这似乎是在增加索赔。然而,在我的MVC客户机上,当我打印声明时,我只得到相同的4。它们是sid、sub、idp和name。我曾尝试添加其他声明,但我无法让任何其他声明出现 我的客户端设置如下: return new List&l
includeindowsgroupssidsubidpnamereturn new List<Client>
{
// other clients omitted...
// OpenID Connect implicit flow client (MVC)
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.Implicit,
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
},
RequireConsent = false
}
};
返回新列表
{
//其他客户省略了。。。
//OpenID连接隐式流客户端(MVC)
新客户
{
ClientId=“mvc”,
ClientName=“MVC客户端”,
AllowedGrantTypes=GrantTypes.Implicit,
//登录后重定向到哪里
重定向URI={”http://localhost:5002/signin-oidc“},
//注销后重定向到何处
PostLogoutRedirectUris={”http://localhost:5002/signout-回调oidc“},
AllowedScopes=新列表
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
},
请求发送=错误
}
};
希望我只是错过了一些简单的东西,但我现在正在努力寻找想法,因此任何指点都将非常感谢。除了在IdentityServer4项目中设置
includeIndowsGroups=true// this allows us to collect any additonal claims or properties
// for the specific prtotocols used and store them in the local auth cookie.
// this is typically used to store data needed for signout from those protocols.
var additionalLocalClaims = new List<Claim>();
var roleClaims = claims.Where(c => c.Type == JwtClaimTypes.Role).ToList();
if (roleClaims.Count > 0)
{
additionalLocalClaims.AddRange(roleClaims);
}
services
.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(StaticConfig.GetIdentityResources())
.AddInMemoryApiResources(StaticConfig.GetApiResources())
.AddInMemoryClients(StaticConfig.GetClients())
.AddTestUsers(StaticConfig.GetUsers())
.AddProfileService<ProfileService>();
你熟悉这篇文章吗:你有定制的ProfileService吗?如果是这样,我建议附加到
GetProfileDataAsyncProfileDataRequestContext services
.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(StaticConfig.GetIdentityResources())
.AddInMemoryApiResources(StaticConfig.GetApiResources())
.AddInMemoryClients(StaticConfig.GetClients())
.AddTestUsers(StaticConfig.GetUsers())
.AddProfileService<ProfileService>();
public static class StaticConfig
{
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
...
AlwaysIncludeUserClaimsInIdToken = true,
...
}
}
}
}
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.SaveTokens = true;
options.ResponseType = "code id_token";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
};
//map any other app-specific claims we're getting from IdentityServer
options.ClaimActions.MapUniqueJsonKey("someotherclaimname", "someotherclaimname");
};