在IdentityServer我添加了一個新的範圍是這樣的:IdentityServer3沒有使用參考令牌
new Scope
{
Name = "myscope",
Description = "myscope",
Type=ScopeType.Resource,
ShowInDiscoveryDocument= false,
Emphasize = false,
//AccessTokenType=1, //Reference
AccessTokenType=0, //JWT
Claims = new List<ScopeClaim>
{
new ScopeClaim("location"),
}
我添加了一個客戶端:
new Client
{
ClientName = "myclient",
Enabled = true,
ClientId = "myclient",
Flow = Flows.Implicit,
AllowedScopes = new List<string> {"myscope"},
Claims = new List<Claim> {new Claim("location", "datacenter")}
}
我添加的實現GetProfileData:
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
await base.GetProfileDataAsync(context);
if (context.AllClaimsRequested)
context.IssuedClaims = context.Subject.Claims;
else if (context.RequestedClaimTypes != null)
context.IssuedClaims = context.Subject.Claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
}
在我的WebAPI,我使用AccessTokenValidation:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:5300",
AllowedScopes = { "myscope" },
RequireHttpsMetadata = false,
});
services.AddAuthorization(options =>
{
options.AddPolicy("location", policy => policy.RequireClaim("location"));
});
我控制器前綴:
[Authorize(ActiveAuthenticationSchemes = "Bearer", Policy = "location")]
public async Task<IActionResult> Get()
{
...
}
現在,當的accessToken設置爲智威湯遜,這工作得很好,我可以打電話給端點。現在,如果我將AccessTokenType更改爲引用令牌,則會失敗... 如果在調用profiledata端點期間檢查RequestedClaimTypes,它將在使用JWT時保留'myscope'的聲明,但在使用Reference Token時不會保留'myscope'聲明... 我錯過了一些配置,或者這是它的工作方式?我預計在這兩個設置中都會得到相同的索賠
[This Dominick Baier post](https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/)詳細介紹了引用令牌和內省,如果你有興趣 –