我们想在UserInfoEndPoint的用户声明中提供大量数据,但我们不想将这些声明嵌入AccessToken。
据我所知,当我们希望保持AccessToken的大小较小时,我们可以从UserInfoEndPoint返回其他数据。参考:资料服务
因此,我按照以下方式实现了IProfileService:
public class ProfileService : IProfileService
{
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
// Get data from Db
var claims = new List<Claim>();
claims.Add(new Claim("global_company_id", "88888888-D964-4A2B-8D56-B893A5BCD700"));
//..... add series of additional claims
context.IssuedClaims = claims;
}
public async Task IsActiveAsync(IsActiveContext context)
{
var sub = context.Subject.GetSubjectId();
context.IsActive = true;
}
}
它从UserInfoEndpoint返回扩展的声明。但是,问题在于,这些声明集也也包含在Jwt访问令牌中,这会使令牌不必要地大很多。
{
"nbf": 1582236568,
"exp": 1582236868,
"iss": "https://localhost:44378",
"aud": [
"https://localhost:44378/resources",
"testapi"
],
"client_id": "testClientId",
"sub": "78452916-D260-4219-927C-954F4E987E70",
"auth_time": 1582236558,
"idp": "local",
"name": "ttcg",
"global_company_id": "88888888-D964-4A2B-8D56-B893A5BCD700",
//........ series of claims here
"scope": [
"openid",
"profile",
"address",
"roles",
"country",
"customClaims"
],
"amr": [
"pwd"
]
}
这是我在Identity Server Provider中的客户端配置:
var clientUrl = "http://localhost:64177";
return new Client
{
ClientName = "Test Web Application",
ClientId = "testClientId",
AllowedGrantTypes = GrantTypes.Hybrid,
AllowOfflineAccess = false,
RequireConsent = false,
RedirectUris = new List<string>
{
$"{clientUrl}/signin-oidc"
},
PostLogoutRedirectUris = new List<string>
{
$"{clientUrl}/signout-callback-oidc"
},
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.OfflineAccess,
"t1_global_ids"
},
ClientSecrets =
{
new Secret("abc123".Sha256())
}
};
这是我的MVC .Net Core Client配置,它连接到Identity Server
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.AccessDeniedPath = "/AccessDenied";
})
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://identityserverUrl";
options.ClientId = "testClientId";
options.ResponseType = "code id_token";
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("CustomClaims"); // <-- here
options.SaveTokens = true;
options.ClientSecret = "abc123";
options.GetClaimsFromUserInfoEndpoint = true;
});
您能否帮助我,让我知道是否可以用令牌隐藏这些声明?
我曾经玩过一次,发现了一个解决方案,但它可能被认为是“ hacky”的-可行,但我从未在生产中使用过,因此,后果自负。
您的ProfileService的GetProfileDataAsync()方法会在不同时间调用-创建JWT时,点击UserEndpoint等时,在这种情况下,您不希望在创建JWT时添加自定义声明,因此请创建当“呼叫者”是JWT创建过程(类型为“ ClaimsProviderAccessToken”)时,不会添加这些条件的条件。
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
if (context.Caller != IdentityServerConstants.ProfileDataCallers.ClaimsProviderAccessToken)
{
var sub = context.Subject.GetSubjectId();
// Get data from Db
var claims = new List<Claim>();
claims.Add(new Claim("global_company_id", "88888888-D964-4A2B-8D56-B893A5BCD700"));
//..... add series of additional claims
context.IssuedClaims = claims;
}
}
这样,JWT不会包含您的自定义声明,但是如果您单击UserEndpoint,它将在JSON中返回这些用户的声明。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句