0
我有一個IdentityServer4服務器設置和定義了一個單一的客戶端這樣:IdentityServer4附加client_權利要求
public static IEnumerable<Client> Get()
{
return new List<Client> {
new Client {
ClientId = "oauthClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {
new Secret("superSecretPassword".Sha256())},
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"role",
"ControlCenter",
"CC.Send",
},
Claims = new List<System.Security.Claims.Claim>
{
new System.Security.Claims.Claim("CEO","true"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
},
RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
}
};
}
我使用郵遞員來測試這一點,我可以在/連接/令牌端點的令牌,但是當我通過該令牌進入/連接/反思端點它返回:
{
"nbf": 1505422619,
"exp": 1505426219,
"iss": "https://localhost:44357",
"aud": [
"https://localhost:44357/resources",
"ControlCenter"
],
"client_id": "oauthClient",
"client_CEO": "true",
"client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"CC.Send",
"CEO"
],
"scope": "CC.Send",
"active": true
}
這是造成我的麻煩,我已獲得我的端點:
services.AddAuthorization(options =>
{
options.AddPolicy(
"CanSendiSuiteProfiles",
policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
});
由於首席執行官<> client_CEO,它返回了一個錯誤403.我可以簡單地通過查找client_CEO來解決這個問題,但我更願意瞭解client_是如何被附加到我的聲明中的。