【发布时间】:2017-03-20 23:44:37
【问题描述】:
我在单独的项目中有一个有效的 IdentityServer 和 MVC 客户端,我还在我的 asp.net 身份表中存储了针对角色的声明,这是我的种子数据代码,然后分配给用户:
if (await _roleManager.FindByNameAsync("Trainer") == null)
{
//Add Traininer Role
var trainerRole = new IdentityRole("Trainer");
await _roleManager.CreateAsync(trainerRole);
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.viewrelated"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.updatestatus"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "contacts.viewrelated"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "locations.viewrelated"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.delete"));
}
if (await _roleManager.FindByNameAsync("Booking Management") == null)
{
//Add Traininer Role
var trainerRole = new IdentityRole("Booking Management");
await _roleManager.CreateAsync(trainerRole);
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "companies.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "companies.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "companies.edit"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "companies.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "locations.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "locations.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "locations.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "locations.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "contacts.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "contacts.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "contacts.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "contacts.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.updatestatus"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.cancel"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "bookings.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "attendee.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "courses.view"));
}
if (await _roleManager.FindByNameAsync("Management") == null)
{
//Add Traininer Role
var trainerRole = new IdentityRole("Management");
await _roleManager.CreateAsync(trainerRole);
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "reporting.finance"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "reporting.customers"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "users.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "users.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "users.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "users.delete"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "config.view"));
}
if (await _roleManager.FindByNameAsync("Course Management") == null)
{
//Add Traininer Role
var trainerRole = new IdentityRole("Course Management");
await _roleManager.CreateAsync(trainerRole);
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "courses.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "courses.create"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "courses.update"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "courses.delete"));
}
if (await _roleManager.FindByNameAsync("Admin") == null)
{
//Add Traininer Role
var trainerRole = new IdentityRole("Admin");
await _roleManager.CreateAsync(trainerRole);
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "config.view"));
await _roleManager.AddClaimAsync(trainerRole, new Claim(CustomClaimTypes.Permission, "config.update"));
}
在我的 MVC 客户端中,我希望能够在导航中执行类似的操作
@if (user.HasClaim(CustomClaimTypes.Permission, "config.view"))
{
<li>
<a href="#"><i class="fa fa-cogs"></i> <span class="nav-label" data-i18n="nav.layouts">Configuration Settings</span></a>
<ul class="nav nav-second-level collapse">
<li>
<a href="/configuration#!/awardingbodies/"> <span class="nav-label" data-i18n="nav.layouts">Awarding Bodies</span></a>
</li>
</ul>
</li>
}
理想情况下,我假设检查您不想经常查询数据库的权限,所以我认为最好使用令牌获取权限,但我不知道该怎么做?
编辑 1:身份服务器中的客户端配置 (Config.cs)
new Client
{
ClientId = "webclientmvc",
ClientName = "CRM MVC Client",
AllowedGrantTypes = GrantTypes.Hybrid,
AlwaysSendClientClaims = true,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:5009/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:5009" },
AllowedScopes =
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.OfflineAccess.Name,
StandardScopes.Roles.Name,
StandardScopes.AllClaims.Name,
"api1",
"claims"
}
},
在 MVC 客户端 (startup.cs) 中配置
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationScheme = "Cookies",
AutomaticChallenge = true,
AutomaticAuthenticate = true,
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
ClientId = "webclientmvc",
ClientSecret = "secret",
ResponseType = "code id_token",
Scope = { "profile", "api1", "offline_access", "roles" },
GetClaimsFromUserInfoEndpoint = true,
SaveTokens = true
});
app.UseStaticFiles();
app.UseMvcWithDefaultRoute();
}
【问题讨论】:
-
抱歉没有说明我正在使用 IdentityServer4
-
能否在身份服务器中包含配置客户端的代码?
-
Identity Server Client 和 MVC Client 的配置已添加@Suhas 到问题中,感谢查看。
-
声明被添加到配置文件服务中的令牌中。那就是我要放置断点的地方。
-
我在想为什么您在 IDSvr 客户端中看到所有声明,但在 MVC 客户端中却看不到。您能否验证 CustomClaimTypes.Permission 声明是否作为范围包含在客户端 OIDC 中间件中以及作为 AllowedScope 包含在 IDSvr4 的客户端配置中?能否也包括 IDSvr4 客户端的客户端配置?
标签: asp.net-core claims-based-identity asp.net-identity-2 identityserver4