C# 身份服务器&x2B；Azure Active Directory+；具有角色声明的Blazor问题_C#_Azure Active Directory_Identityserver4_Blazor

C# 身份服务器&x2B；Azure Active Directory+；具有角色声明的Blazor问题

c# azure-active-directory identityserver4 blazor

C# 身份服务器&x2B；Azure Active Directory+；具有角色声明的Blazor问题,c#,azure-active-directory,identityserver4,blazor,C#,Azure Active Directory,Identityserver4,Blazor,我设法将Identity Server与blazor一起使用，并设置和使用不同的用户声明，如本地数据库用户的角色（阻止页面访问等）。然后我成功地添加了AAD连接，但并不是所有的声明都被传输到id_令牌中的blazor应用程序。我不认为这是Blazor的问题，但更多的是IS4和AAD配置问题以下是我的IS4 startup.cs设置： //AAD services.AddAuthentication() .AddOpenIdConnect("

我设法将Identity Server与blazor一起使用，并设置和使用不同的用户声明，如本地数据库用户的角色（阻止页面访问等）。然后我成功地添加了AAD连接，但并不是所有的声明都被传输到id_令牌中的blazor应用程序。我不认为这是Blazor的问题，但更多的是IS4和AAD配置问题

以下是我的IS4 startup.cs设置：

  //AAD
        services.AddAuthentication()
            .AddOpenIdConnect("aad", "Sign-in with Azure AD", options =>
            {
                options.Authority = "https://login.microsoftonline.com/common";
                options.ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                options.SignOutScheme = IdentityServerConstants.SignoutScheme;
                options.ResponseType = "id_token";



                options.CallbackPath = "/signin-aad";
                options.SignedOutCallbackPath = "/signout-callback-aad";
                options.RemoteSignOutPath = "/signout-aad";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,
                    NameClaimType = "name",
                    RoleClaimType = "role"
                };
            });

        // preserve OIDC state in cache (solves problems with AAD and URL lenghts)
        services.AddOidcStateDataFormatterCache("aad");
        //

config.cs中的我的客户端配置：

  new Client
                {
                    ClientId = "blazor",
                    AllowedGrantTypes = GrantTypes.Code,
                    RequirePkce = true,
                    RequireClientSecret = false,
                    AllowedCorsOrigins = { "https://localhost:5001" },
                    AllowedScopes = { "openid", "profile", "email","backend" },
                    AlwaysIncludeUserClaimsInIdToken=true,
                    RedirectUris = { "https://localhost:5001/authentication/login-callback" },
                    PostLogoutRedirectUris = { "https://localhost:5001/" },
                    Enabled = true
                },

标识控制台日志：

[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Scopes in access token: openid profile backend email

[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Requested claim types: sub name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at role email email_verified

[10:56:36 Information] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Profile service returned the following claim types: sub name preferred_username

id_令牌声称：

s_hash: 34563456345634563563
sid: wretqert3545643563456
sub: GUID
auth_time: 2342424324
idp: aad
name: bob Henri
preferred_username: GUID
amr: external

我希望所有要求的索赔都出现在这里

提前谢谢