问题描述
我试图建立承载身份验证使用ASP.NET 1.0核心的SPA。我差点就工作JwtToken与OpenIdConnect服务器,但有我的自定义声明不与令牌返回的问题。
我Startup.cs逻辑验证如下:
私人无效ConfigureAuthentication(IApplicationBuilder应用程序)
{
app.UseJwtBearerAuthentication(选项=>
{
options.AutomaticAuthenticate = TRUE;
options.Authority =HTTP://本地主机:53844;
options.Audience =HTTP://本地主机:53844;
options.RequireHttpsMetadata = FALSE;
}); app.UseOpenIdConnectServer(选项=>
{
options.TokenEndpointPath =/ API / V1 /令牌;
options.AllowInsecureHttp = TRUE;
options.AuthorizationEndpointPath = PathString.Empty;
options.Provider =新OpenIdConnectServerProvider
{
OnValidateClientAuthentication =背景=>
{
context.Skipped();
返回Task.FromResult<对象>(NULL);
},
OnGrantResourceOwnerCredentials =异步上下文=>
{
VAR usersService = app.ApplicationServices.GetService< IUsersService>(); 用户的用户= usersService.getUser(context.Username,context.Password); VAR身份=新ClaimsIdentity(新名单<权利要求GT;(),OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(新索赔(ClaimTypes.NameIdentifier,user.Id.ToString()));
identity.AddClaim(新索赔(ClaimTypes.Name,user.Id.ToString()));
identity.AddClaim(新索赔(myclaim,4815162342)); VAR票=新AuthenticationTicket(
新ClaimsPrincipal(身份),
新AuthenticationProperties(),
context.Options.AuthenticationScheme); ticket.SetResources(新[] {HTTP://本地主机:53844});
ticket.SetAudiences(新[] {HTTP://本地主机:53844});
ticket.SetScopes(新[] {电子邮件,offline_access});
context.Validated(票);
}
};
});
}
两者的access_token和refresh_token被成功地生成和Authorization头体系将路过的access_token时提出要求授权。
唯一的问题是,除了所有的NameIdentifier索赔不通过。
我用下面的code接收我的索赔身份验证的请求:
公共类WebUserContext:IUserContext
{
私人只读IHttpContextAccessor contextAccessor; 公共WebUserContext(IHttpContextAccessor contextAccessor)
{
this.contextAccessor = contextAccessor;
} 众长用户ID
{
得到
{
ClaimsIdentity身份=本金.Identity为ClaimsIdentity?; 如果(身份== NULL)
{
返回-1;
} 要求权= identity.Claims.FirstOrDefault(C => c.Type == ClaimTypes.Name); //有要求收集这种索赔
返回long.Parse(claim.Value);
}
} 私人ClaimsPrincipal校长=> contextAccessor.HttpContext.User为ClaimsPrincipal;
}
什么可以做我的权利要求不通过或从令牌提取的原因是什么?
Security.
Unlike OAuthAuthorizationServerMiddleware
, ASOS doesn't assume access tokens are always consumed by your own resource servers (though I agree it's a common scenario) and refuses to serialize claims that don't explicitly specify a "destination" to avoid leaking confidential data to unauthorized parties.
With JWT being the default format in ASOS beta4 (but not in the next beta), you must also keep in mind that even client applications (or users) can read your access tokens.
For this reason, you must explicitly attach a "destination" to your claims:
identity.AddClaim(ClaimTypes.Name, "Pinpoint", destination: "id_token token");
Specify id_token
to serialize the claim in the identity token, token
to serialize it in the access token or both to serialize it in both tokens (there's no equivalent for authorization codes or refresh tokens as they are always encrypted and only readable by the authorization server itself)
这篇关于ASP.NET 1.0的核心。承载令牌,无法访问自定义声明的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!