简短:我的客户端从 IdentityServer 示例服务器检索访问令牌,然后将其传递给我的 WebApi。在我的控制器中, this.HttpContext.User.GetUserId() 返回 null (尽管用户有其他声明)。我怀疑访问令牌中没有名称身份声明。如何让 IdentityServer 包含它?
到目前为止我已经尝试过:
- 从混合流切换到隐式流(随机尝试)
在 IdSvrHost 范围定义中我添加了
Claims = { new ScopeClaim(ClaimTypes.NameIdentifier, alwaysInclude: true) }
在 IdSvrHost 客户端定义中我添加了
声明 = { 新声明(ClaimTypes.NameIdentifier,“42”)}
(也是随机尝试)
我还尝试了范围定义中的其他范围,但都没有出现。看起来,nameidentity 通常包含在身份令牌中,但是对于我知道的大多数公共 API,您不会向服务器提供身份令牌。
更多详细信息:IdSrvHost 和 Api 位于不同的主机上。控制器具有[授权]。事实上,我可以看到其他的说法。Api 配置为
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseIdentityServerAuthentication(options => {
options.Authority = "http://localhost:22530/";
// TODO: how to use multiple optional scopes?
options.ScopeName = "borrow.slave";
options.AdditionalScopes = new[] { "borrow.receiver", "borrow.manager" };
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
});
范围:
public static Scope Slave { get; } = new Scope {
Name = "borrow.slave",
DisplayName = "List assigned tasks",
Type = ScopeType.Resource,
Claims = {
new ScopeClaim(ClaimTypes.NameIdentifier, alwaysInclude: true),
},
};
和客户:
new Client {
ClientId = "borrow_node",
ClientName = "Borrow Node",
Flow = Flows.Implicit,
RedirectUris = new List<string>
{
"borrow_node:redirect-target",
},
Claims = { new Claim(ClaimTypes.NameIdentifier, "42") },
AllowedScopes = {
StandardScopes.OpenId.Name,
//StandardScopes.OfflineAccess.Name,
BorrowScopes.Slave.Name,
},
}
授权 URI:
request.CreateAuthorizeUrl(
clientId: "borrow_node",
responseType: "token",
scope: "borrow.slave",
redirectUri: "borrow_node:redirect-target",
state: state,
nonce: nonce);
我也试过
request.CreateAuthorizeUrl(
clientId: "borrow_node",
responseType: "id_token token",
scope: "openid borrow.slave",
redirectUri: "borrow_node:redirect-target",
state: state,
nonce: nonce);