C# 身份服务器&x2B;Azure Active Directory+;具有角色声明的Blazor问题
我设法将Identity Server与blazor一起使用,并设置和使用不同的用户声明,如本地数据库用户的角色(阻止页面访问等)。然后我成功地添加了AAD连接,但并不是所有的声明都被传输到id_令牌中的blazor应用程序。 我不认为这是Blazor的问题,但更多的是IS4和AAD配置问题 以下是我的IS4 startup.cs设置:C# 身份服务器&x2B;Azure Active Directory+;具有角色声明的Blazor问题,c#,azure-active-directory,identityserver4,blazor,C#,Azure Active Directory,Identityserver4,Blazor,我设法将Identity Server与blazor一起使用,并设置和使用不同的用户声明,如本地数据库用户的角色(阻止页面访问等)。然后我成功地添加了AAD连接,但并不是所有的声明都被传输到id_令牌中的blazor应用程序。 我不认为这是Blazor的问题,但更多的是IS4和AAD配置问题 以下是我的IS4 startup.cs设置: //AAD services.AddAuthentication() .AddOpenIdConnect("
//AAD
services.AddAuthentication()
.AddOpenIdConnect("aad", "Sign-in with Azure AD", options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.ResponseType = "id_token";
options.CallbackPath = "/signin-aad";
options.SignedOutCallbackPath = "/signout-callback-aad";
options.RemoteSignOutPath = "/signout-aad";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "name",
RoleClaimType = "role"
};
});
// preserve OIDC state in cache (solves problems with AAD and URL lenghts)
services.AddOidcStateDataFormatterCache("aad");
//
config.cs中的我的客户端配置:
new Client
{
ClientId = "blazor",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RequireClientSecret = false,
AllowedCorsOrigins = { "https://localhost:5001" },
AllowedScopes = { "openid", "profile", "email","backend" },
AlwaysIncludeUserClaimsInIdToken=true,
RedirectUris = { "https://localhost:5001/authentication/login-callback" },
PostLogoutRedirectUris = { "https://localhost:5001/" },
Enabled = true
},
标识控制台日志:
[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Scopes in access token: openid profile backend email
[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Requested claim types: sub name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at role email email_verified
[10:56:36 Information] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Profile service returned the following claim types: sub name preferred_username
id_令牌声称:
s_hash: 34563456345634563563
sid: wretqert3545643563456
sub: GUID
auth_time: 2342424324
idp: aad
name: bob Henri
preferred_username: GUID
amr: external
我希望所有要求的索赔都出现在这里
提前谢谢