Oauth 2.0 OpenID Connect:如何在客户端凭据流中添加自定义声明数据
我正在使用identity server设置客户端凭据流,以从客户端获取访问令牌。我可以用下面的代码获取访问令牌Oauth 2.0 OpenID Connect:如何在客户端凭据流中添加自定义声明数据,oauth-2.0,openid-connect,claims,clientcredential,Oauth 2.0,Openid Connect,Claims,Clientcredential,我正在使用identity server设置客户端凭据流,以从客户端获取访问令牌。我可以用下面的代码获取访问令牌 身份服务器配置: public void Configuration(IAppBuilder app) { app.Map("/identity", idsrvApp => { var corsPolicyService = new DefaultCorsPolicyService() { AllowA
- 身份服务器配置:
public void Configuration(IAppBuilder app) { app.Map("/identity", idsrvApp => { var corsPolicyService = new DefaultCorsPolicyService() { AllowAll = true }; var idServerServiceFactory = new IdentityServerServiceFactory() .UseInMemoryClients(Clients.Get()) .UseInMemoryScopes(Scopes.Get()) .UseInMemoryUsers(Users.Get()); var options = new IdentityServerOptions { Factory = idServerServiceFactory, SiteName = "Demo", IssuerUri = IdentityConstants.IssuerUri, PublicOrigin = IdentityConstants.STSOrigin, SigningCertificate = LoadCertificate() }; idsrvApp.UseIdentityServer(options); }); }
public static class Clients { public static IEnumerable<Client> Get() { return new[] { new Client { ClientId = "ClientSDK", ClientName = "Client SDK (Client Credentials)", Flow = Flows.ClientCredentials, AllowAccessToAllScopes = true, ClientSecrets = new List<Secret>() { new Secret(IdentityConstants.ClientSecret.Sha256()) } } }; }
var oAuth2Client = new TokenClient( IdentityConstants.STSTokenEndpoint, "ClientSDK", IdentityConstants.ClientSecret); var tokenResponse = oAuth2Client.RequestClientCredentialsAsync("MyScope").Result; return tokenResponse.AccessToken;
- 身份服务器-客户端配置:
public void Configuration(IAppBuilder app) { app.Map("/identity", idsrvApp => { var corsPolicyService = new DefaultCorsPolicyService() { AllowAll = true }; var idServerServiceFactory = new IdentityServerServiceFactory() .UseInMemoryClients(Clients.Get()) .UseInMemoryScopes(Scopes.Get()) .UseInMemoryUsers(Users.Get()); var options = new IdentityServerOptions { Factory = idServerServiceFactory, SiteName = "Demo", IssuerUri = IdentityConstants.IssuerUri, PublicOrigin = IdentityConstants.STSOrigin, SigningCertificate = LoadCertificate() }; idsrvApp.UseIdentityServer(options); }); }
public static class Clients { public static IEnumerable<Client> Get() { return new[] { new Client { ClientId = "ClientSDK", ClientName = "Client SDK (Client Credentials)", Flow = Flows.ClientCredentials, AllowAccessToAllScopes = true, ClientSecrets = new List<Secret>() { new Secret(IdentityConstants.ClientSecret.Sha256()) } } }; }
var oAuth2Client = new TokenClient( IdentityConstants.STSTokenEndpoint, "ClientSDK", IdentityConstants.ClientSecret); var tokenResponse = oAuth2Client.RequestClientCredentialsAsync("MyScope").Result; return tokenResponse.AccessToken;
首先,您需要在Azure Portal上创建自定义属性“userId”,并将其应用于所选应用程序。那么按照这个例子,, 如果您使用的是内置用户流,那么您需要为应用程序选择“userId”。 如果您使用的是自定义策略,则执行以下过程。
JWT令牌仅显示Azure AD B2C自定义策略的输出声明。创建和更新自定义策略是一个多步骤的过程。这里有一个链接,可以阅读有关的更多信息。您应该实现自定义用户存储,以验证用户并从数据库中添加声明。更改如下启动代码,Userrepository类表示数据库通信,以验证用户身份并从数据库获取声明:
var idServerServiceFactory = new IdentityServerServiceFactory()
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get())
.AddCustomUserStore();
添加以下类并根据您的要求进行更改:
public static class CustomIdentityServerBuilderExtensions
{
public static IIdentityServerBuilder AddCustomUserStore(this IIdentityServerBuilder builder)
{
builder.AddProfileService<UserProfileService>();
builder.AddResourceOwnerValidator<UserResourceOwnerPasswordValidator>();
return builder;
}
}
public class UserProfileService : IProfileService
{
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
UserRepository userRepository=new UserRepository();
var user = userRepository.GetUserById(int.Parse(context.Subject.GetSubjectId()));
if (user != null)
{
var userTokenModel = _mapper.Map<UserTokenModel>(user);
var claims = new List<Claim>();
claims.Add(new Claim("UserId", user.UserId));
// Add another claims here
context.IssuedClaims.AddRange(claims);
}
public async Task IsActiveAsync(IsActiveContext context)
{
}
}
public class UserResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
UserRepository userRepository=new UserRepository();
var userLoginStatus = userRepository.GetUserById(context.UserName, context.Password);
if (userLoginStatus != null)
{
context.Result = new GrantValidationResult(userLoginStatus.UserId.ToString(),
OidcConstants.AuthenticationMethods.Password);
}
else
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient,
"Wrong Credentials");
}
}
}
公共静态类CustomIdentityServerBuilderExtensions
{
公共静态IIdentialyServerBuilder AddCustomUserStore(此IIdentialyServerBuilder生成器)
{
AddProfileService();
builder.AddResourceOwnerValidator();
返回生成器;
}
}
公共类UserProfileService:IProfileService
{
公共异步任务GetProfileDataAsync(ProfileDataRequestContext上下文)
{
UserRepository UserRepository=新的UserRepository();
var user=userRepository.GetUserById(int.Parse(context.Subject.GetSubjectId());
如果(用户!=null)
{
var userTokenModel=_mapper.Map(用户);
var索赔=新列表();
添加(新声明(“UserId”,user.UserId));
//在此处添加其他索赔
context.IssuedClaims.AddRange(索赔);
}
公共异步任务IsActiveAsync(IsActiveContext上下文)
{
}
}
公共类UserResourceOwnerPasswordValidator:IResourceOwnerPasswordValidator
{
公共异步任务ValidateAsync(ResourceOwnerPasswordValidationContext)
{
UserRepository UserRepository=新的UserRepository();
var userLoginStatus=userRepository.GetUserById(context.UserName,context.Password);
if(userLoginStatus!=null)
{
context.Result=new GrantValidationResult(userLoginStatus.UserId.ToString(),
OidcConstants.AuthenticationMethods.Password);
}
其他的
{
context.Result=新GrantValidationResult(TokenRequestErrors.InvalidClient,
“错误的凭证”);
}
}
}
@您已配置内存中的用户,是否要验证应用程序数据库中的用户,并将声明添加到数据库中的令牌?