1

我无法让 IdentityServer 返回资源范围的任何声明。我将资源范围定义为:

    private static Scope Roles
    {
        get
        {
            return new Scope
            {
                Name = "roles",
                DisplayName = "Roles",
                Type = ScopeType.Identity,
                Claims = new List<ScopeClaim>
                {
                    new ScopeClaim(SecurityContants.ClaimTypes.Role)
                }
            };
        }
    }

    private static Scope Api
    {
        get
        {
            return new Scope
            {
                Name = "api",
                DisplayName = "Api",
                IncludeAllClaimsForUser = true,
            //i've also tried adding the claim directly
                Type = ScopeType.Resource,
                Emphasize = false
            };
        }
    }

然后将它们添加到集合中并交还。在我的 API Startup.cs 中,我将 owin 配置为:

public void Configuration (IAppBuilder app)
    {

        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

        app.UseIdentityServerBearerTokenAuthentication(
                new IdentityServerBearerTokenAuthenticationOptions
                {                        
                    Authority = "http://localhost/security.tokenserver.site",
                    RequiredScopes = new[] { "api", "roles" },
                    RoleClaimType = "roles"
                });
        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();
        app.UseWebApi(config);
    }
}

我的 API 端点很简单:

    public IEnumerable<string> Get()
    {
        var user = User as ClaimsPrincipal;
        var claims = new List<string>();

        foreach (var item in user.Claims)
        {
            claims.Add(item.Value);
        }
        return claims;
    }

在身份验证后从我的 UI 调用时,其输出是:

[ "customer_svc", "api", "https://idsrv3/embedded", "https://idsrv3/embedded/resources", "1448048492", "1448044892" ]

所以在 UI 上的初始登录是有效的(我看到角色在那里声明),检索令牌有效,并将令牌交给 API 有效。但是在将令牌交回 API 后,我看不到用户的角色。

我错过了什么?

4

0 回答 0