如何解决如何为Identity Server 4.0.3中的给定客户端正确授予对ApiResource的访问权限?
以前,我们可以定义以下配置,并且可以运行:
public static IEnumerable<ApiScope> GetApiScopes() =>
new List<ApiScope>
{
new ApiScope(
name: "Scope1",displayName: "scope1 description",userClaims: new[] { "claim1" }),new ApiScope(
name: "Scope2",displayName: "scope2 description",userClaims: new[] { "claim2","claim3","claim4"}),new ApiScope(
name: "Scope3",displayName: "scope3 description",userClaims: new[] { "claim5" }),new ApiScope(
name: "Scope4",displayName: "scope4 description",userClaims: new[] { "claim6" })
};
public static IEnumerable<ApiResource> GetApiResources() =>
new List<ApiResource>
{
new ApiResource("MyApi","MyApi description")
{
ApiSecrets = { new Secret("secret").Sha256() },Scopes =
{
"Scope1","Scope2","Scope3","Scope4"
}
}
};
public static IEnumerable<Client> GetClients() =>
new List<Client>
{
new Client
{
Enabled = true,ClientId = "client",ClientSecrets = "secret"
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,AllowOfflineAccess = true,AccessTokenType = AccessTokenType.Reference,RequireConsent = false,RequirePkce = false,UpdateAccessTokenClaimsOnRefresh = true,RefreshTokenExpiration = TokenExpiration.Absolute,AbsoluteRefreshTokenLifetime = 123456,RefreshTokenUsage = TokenUsage.ReUse,AccessTokenLifetime = 600000,AllowedScopes = { "MyApi" },// This previously worked,now it doesn't
}
};
但是由于here的各种更改,您无法再执行上述操作,因为用"MyApi"编写的Client.AllowedScopes不是范围,换句话说,您不能通过提供资源名称来请求访问资源,就像以前一样
相反,要使以上内容在Identity Server 4.0.3中正常运行,您必须进行以下破解,我认为这是完全错误的,因此是一个问题:
public static IEnumerable<ApiScope> GetApiScopes() =>
new List<ApiScope>
{
new ApiScope(
name: "Scope1",userClaims: new[] { "claim6" }),// Wrapper
new ApiScope(
name: "MyApi",displayName: "",// Manually add all claims from above scopes.
// If you end up in the future changing one of the above scopes's required claims,// well,make sure you do the same here...
userClaims: new[] { "claim1","claim2","claim4","claim5","claim6"})
};
public static IEnumerable<ApiResource> GetApiResources() =>
new List<ApiResource>
{
new ApiResource("MyApi",Scopes =
{
"MyApi"
}
}
};
public static IEnumerable<Client> GetClients() =>
new List<Client>
{
new Client
{
Enabled = true,// now works because we have a fake "MyApi" scope,// encapsulating our previously well-defined structure of scopes
AllowedScopes = { "MyApi" },}
};
将整个ApiResource的范围包装到单个范围并定义存在于所述范围中的所有声明是没有意义的。
请问有人对此有所了解-实现过去版本的Identity Server4的正确方法是什么?
编辑:基本上,我想问的是-您如何要求将特定资源授予特定范围? (如果令牌中没有其中任何一个,则将其无效)
解决方法
之所以可行,是因为在以前的版本中,资源定义会自动包含一个具有相同名称的范围。
请注意,MyApi是作用域名称,它等于资源名称。
AllowedScopes = { "MyApi" }
但是令牌包含作为受众的资源名称,这非常令人困惑。结果,如果客户端具有至少一个作为资源一部分的作用域,则客户端可以访问该资源。在资源内,应验证范围,以确保授权客户端使用资源的特定部分,例如:
services
.AddAuthorization(options =>
{
options.AddPolicy("Scope1",p => p.RequireClaim("scope","Scope1"));
看来,在您的情况下,无论指定范围如何,客户端都可以访问整个资源。
所以您应该做的是,验证资源中的范围,并在客户端定义中命名允许的范围:
AllowedScopes = { "Scope1","Scope2","Scope3","Scope4" }
或如果允许所有范围,则省略该行。这将自动包括所有允许的范围。
根据评论进行更新。
您可以使用以下方法验证在api中接收承载令牌的范围:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.JwtBearerEvents = new JwtBearerEvents
{
OnTokenValidated = async context =>
{
// To verify if required scopes are included:
var requiredScopes = new List<string> { "scope1","scope2","scope3","scope4" };
var foundScopes = context.Principal.Claims.Count(c => c.Type == "scope" && allowedScopes.Contains(c.Value));
if (foundScopes != requiredScopes.Count)
{
context.Fail("Invalid number of scopes");
}
}
};
});
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。