Oauth IdentityServer4:如何在客户端未明确请求的情况下将电子邮件包含在access_令牌中?
当用户通过Google登录IdentityServer4时,我想访问电子邮件(可能还有他们的Google id),但不需要客户端请求。所以每次都应该可以访问它,所以我可以把它放在access_令牌中(因为我们的API需要用户的电子邮件地址) 我一直在注入Oauth IdentityServer4:如何在客户端未明确请求的情况下将电子邮件包含在access_令牌中?,oauth,oauth-2.0,google-oauth,openid,identityserver4,Oauth,Oauth 2.0,Google Oauth,Openid,Identityserver4,当用户通过Google登录IdentityServer4时,我想访问电子邮件(可能还有他们的Google id),但不需要客户端请求。所以每次都应该可以访问它,所以我可以把它放在access_令牌中(因为我们的API需要用户的电子邮件地址) 我一直在注入IProfileService,还有iclaimservice,但我在那里找不到电子邮件。是否可以挂接到Google SignIn回调,以便我可以手动访问响应 谢谢 我通过在AccountController.ExternalLoginCallb
IProfileServiceiclaimservice谢谢 我通过在
AccountController.ExternalLoginCallback//Add E-Mail claim even if client didn't ask for it
if (claims.Exists(c => c.Type.Equals(ClaimTypes.Email))) {
additionalClaims.Add(new Claim(JwtClaimTypes.Email, claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Email)).Value));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>();
Claim emailClaim = context.Subject.Claims.Where<Claim>(claim => claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
if (emailClaim != null)
{
claims.Add(emailClaim);
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
ProfileServiceMyProfileService.GetProfileDataAsyncaccess\u令牌中,如下所示:
//Add E-Mail claim even if client didn't ask for it
if (claims.Exists(c => c.Type.Equals(ClaimTypes.Email))) {
additionalClaims.Add(new Claim(JwtClaimTypes.Email, claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Email)).Value));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>();
Claim emailClaim = context.Subject.Claims.Where<Claim>(claim => claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
if (emailClaim != null)
{
claims.Add(emailClaim);
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
公共任务GetProfileDataAsync(ProfileDataRequestContext上下文)
{
var索赔=新列表();
Claim-emailClaim=context.Subject.Claims.Where(Claim=>Claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
如果(emailClaim!=null)
{
索赔。添加(电子邮件索赔);
}
context.IssuedClaims=索赔;
返回Task.FromResult(0);
}
AccountController.ExternalLoginCallback中添加所需的声明解决了这个问题,如下所示:
//Add E-Mail claim even if client didn't ask for it
if (claims.Exists(c => c.Type.Equals(ClaimTypes.Email))) {
additionalClaims.Add(new Claim(JwtClaimTypes.Email, claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Email)).Value));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>();
Claim emailClaim = context.Subject.Claims.Where<Claim>(claim => claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
if (emailClaim != null)
{
claims.Add(emailClaim);
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
然后,我通过依赖注入myProfileService
类并在MyProfileService.GetProfileDataAsync
中添加声明,将声明添加到access\u令牌中,如下所示:
//Add E-Mail claim even if client didn't ask for it
if (claims.Exists(c => c.Type.Equals(ClaimTypes.Email))) {
additionalClaims.Add(new Claim(JwtClaimTypes.Email, claims.FirstOrDefault(x => x.Type.Equals(ClaimTypes.Email)).Value));
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var claims = new List<Claim>();
Claim emailClaim = context.Subject.Claims.Where<Claim>(claim => claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
if (emailClaim != null)
{
claims.Add(emailClaim);
}
context.IssuedClaims = claims;
return Task.FromResult(0);
}
公共任务GetProfileDataAsync(ProfileDataRequestContext上下文)
{
var索赔=新列表();
Claim-emailClaim=context.Subject.Claims.Where(Claim=>Claim.Type.Equals(JwtClaimTypes.Email)).FirstOrDefault();
如果(emailClaim!=null)
{
索赔。添加(电子邮件索赔);
}
context.IssuedClaims=索赔;
返回Task.FromResult(0);
}
从google登录返回的Id令牌已经包含该电子邮件,您没有特别要求它。。。从google登录返回的Id令牌已经包含电子邮件,而您没有明确要求它。。。