感覺我在IdentityServer或客戶端配置中丟失了某些東西。我已經從ASP成員身份升級到Identity,然後轉而使用IdentityServer使用SSO。我可以通過Identity Server登錄,然後返回到客戶端應用程序,我可以在其中調試並查看UserKey和聲明,但我在聲明中看不到任何角色,並且user.IsInRole(roleName)始終返回false。ASP身份角色沒有出現在使用IdentityServer v3的客戶端
的IdentityServer配置:
public class Scopes
{
public static IEnumerable<Scope> Get()
{
return new Scope[]
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.AllClaims,
StandardScopes.Roles,
StandardScopes.OfflineAccess,
new Scope
{
IncludeAllClaimsForUser = true,
Name = "read",
DisplayName = "Read data",
Type = ScopeType.Resource,
Emphasize = false,
},
new Scope
{
Name = "write",
DisplayName = "Write data",
Type = ScopeType.Resource,
Emphasize = false, //true
},
new Scope
{
Name = "forbidden",
DisplayName = "Forbidden scope",
Type = ScopeType.Resource,
Emphasize = false //true
}
};
}
}
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new[]
{
new Client
{
Enabled = true,
ClientName = "MVC Client",
ClientId = "implicitclient",
Flow = Flows.Implicit,
AllowedScopes = new List<string> {
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
Constants.StandardScopes.Roles
},
RedirectUris = new List<string>
{
"https://localhost:44301/"
}
},
new Client
{
Enabled = true,
ClientName = "MyClientName",
ClientId = "myclientName",
Flow = Flows.Implicit,
AllowedScopes = new List<string> {
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
Constants.StandardScopes.Roles,
"read",
"write"
},
RedirectUris = new List<string>
{
"https://localhost:44302/"
}
}
};
}
}
public static IdentityServerServiceFactory Configure()
{
var factory = new IdentityServerServiceFactory();
var scopeStore = new InMemoryScopeStore(Scopes.Get());
factory.ScopeStore = new Registration<IScopeStore>(scopeStore);
var clientStore = new InMemoryClientStore(Clients.Get());
factory.ClientStore = new Registration<IClientStore>(clientStore);
factory.CorsPolicyService = new Registration<ICorsPolicyService>(new DefaultCorsPolicyService { AllowAll = true });
return factory;
}
客戶端配置(MVC應用5):
public void Configuration(IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "myclientname",
Authority = "https://localhost:44300/core", //Constants.BaseAddress, //STS Server Address
RedirectUri = "https://localhost:44302/", //This site
ResponseType = "id_token token",
//Scope = "openid email write",
Scope = "openid email roles",
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var token = n.ProtocolMessage.AccessToken;
// persist access token in cookie
if (!string.IsNullOrEmpty(token))
{
n.AuthenticationTicket.Identity.AddClaim(
new Claim("access_token", token));
}
}
}
});
}
}
任何建議非常感謝!
使用CustomUserService? –
謝謝,是否有任何鏈接到維基/文檔,進一步解釋這一點。我見過你可以添加一個CustomUserService,但我不清楚如何解決這個問題? – LightningShield
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService –