如何解决Identity Server + Azure Active Directory + Blazor角色声明问题
我设法将Identity Server与blazor配合使用,并为本地数据库用户设置和使用了不同的用户声明,例如 role (阻止页面访问等)。然后,我成功添加了AAD连接,但是并非所有声明都被传递到id_token中的blazor应用程序。 我认为这与Blazor无关,但更多的是IS4和AAD配置问题。
这是我的IS4 startup.cs设置:
//AAD
services.AddAuthentication()
.AddOpenIdConnect("aad","Sign-in with Azure AD",options =>
{
options.Authority = "https://login.microsoftonline.com/common";
options.ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.ResponseType = "id_token";
options.CallbackPath = "/signin-aad";
options.SignedOutCallbackPath = "/signout-callback-aad";
options.RemoteSignOutPath = "/signout-aad";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,NameClaimType = "name",RoleClaimType = "role"
};
});
// preserve OIDC state in cache (solves problems with AAD and URL lenghts)
services.AddOidcStateDataFormatterCache("aad");
//
我在config.cs中的客户端配置:
new Client
{
ClientId = "blazor",AllowedGrantTypes = GrantTypes.Code,RequirePkce = true,RequireClientSecret = false,AllowedCorsOrigins = { "https://localhost:5001" },AllowedScopes = { "openid","profile","email","backend" },AlwaysIncludeUserClaimsInIdToken=true,RedirectUris = { "https://localhost:5001/authentication/login-callback" },PostLogoutRedirectUris = { "https://localhost:5001/" },Enabled = true
},
身份控制台日志:
[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Scopes in access token: openid profile backend email
[10:56:36 Debug] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Requested claim types: sub name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at role email email_verified
[10:56:36 Information] IdentityServer4.ResponseHandling.UserInfoResponseGenerator
Profile service returned the following claim types: sub name preferred_username
id_token声明:
s_hash: 34563456345634563563
sid: wretqert3545643563456
sub: GUID
auth_time: 2342424324
idp: aad
name: bob Henri
preferred_username: GUID
amr: external
我希望所有要求的声明都显示在这里。
预先感谢
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。