Identity Server + Azure Active Directory + Blazor角色声明问题

如何解决Identity Server + Azure Active Directory + Blazor角色声明问题

我设法将Identity Server与blazor配合使用，并为本地数据库用户设置和使用了不同的用户声明，例如 role （阻止页面访问等）。然后，我成功添加了AAD连接，但是并非所有声明都被传递到id_token中的blazor应用程序。 我认为这与Blazor无关，但更多的是IS4和AAD配置问题。

这是我的IS4 startup.cs设置：

  //AAD
        services.AddAuthentication()
            .AddOpenIdConnect("aad","Sign-in with Azure AD",options =>
            {
                options.Authority = "https://login.microsoftonline.com/common";
                options.ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                options.SignOutScheme = IdentityServerConstants.SignoutScheme;
                options.ResponseType = "id_token";



                options.CallbackPath = "/signin-aad";
                options.SignedOutCallbackPath = "/signout-callback-aad";
                options.RemoteSignOutPath = "/signout-aad";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,NameClaimType = "name",RoleClaimType = "role"
                };
            });

        // preserve OIDC state in cache (solves problems with AAD and URL lenghts)
        services.AddOidcStateDataFormatterCache("aad");
        //

我在config.cs中的客户端配置：

  new Client
                {
                    ClientId = "blazor",AllowedGrantTypes = GrantTypes.Code,RequirePkce = true,RequireClientSecret = false,AllowedCorsOrigins = { "https://localhost:5001" },AllowedScopes = { "openid","profile","email","backend" },AlwaysIncludeUserClaimsInIdToken=true,RedirectUris = { "https://localhost:5001/authentication/login-callback" },PostLogoutRedirectUris = { "https://localhost:5001/" },Enabled = true
                },

身份控制台日志：

[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Scopes in access token: openid profile backend email

[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Requested claim types: sub name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at role email email_verified

[10:56:36 Information] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Profile service returned the following claim types: sub name preferred_username

id_token声明：

s_hash: 34563456345634563563
sid: wretqert3545643563456
sub: GUID
auth_time: 2342424324
idp: aad
name: bob Henri
preferred_username: GUID
amr: external

我希望所有要求的声明都显示在这里。

预先感谢

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。