我使用的是ASP.Net内核3.1。在我的IdentityServer中,我添加了像这样的用户和角色
public static void EnsureSeedData(IServiceProvider serviceProvider)
{
var RoleManager = serviceProvider.GetRequiredService<RoleManager<IdentityRole>>();
var UserManager = serviceProvider.GetRequiredService<UserManager<IdentityUser>>();
IdentityResult roleResult;
//Adding Admin Role
var roleCheck = RoleManager.RoleExistsAsync("Admin").Result;
if (!roleCheck)
{
IdentityRole adminRole = new IdentityRole("Admin");
//create the roles and seed them to the database
roleResult = RoleManager.CreateAsync(adminRole).Result;
RoleManager.AddClaimAsync(adminRole, new Claim("TestClaim1", bool.TrueString)).Wait();
RoleManager.AddClaimAsync(adminRole, new Claim("TestClaim2", bool.TrueString)).Wait();
RoleManager.AddClaimAsync(adminRole, new Claim("TestClaim3", bool.FalseString)).Wait();
}
var alice = UserManager.FindByNameAsync("alice").Result;
if (alice == null)
{
alice = new IdentityUser
{
UserName = "alice",
Email = "AliceSmith@email.com",
EmailConfirmed = true,
};
var result = UserManager.CreateAsync(alice, "Pass123$").Result;
if (!result.Succeeded)
{
throw new Exception(result.Errors.First().Description);
}
result = UserManager.AddClaimsAsync(alice, new Claim[]{
new Claim(JwtClaimTypes.Name, "Alice Smith"),
new Claim(JwtClaimTypes.GivenName, "Alice"),
new Claim(JwtClaimTypes.FamilyName, "Smith"),
new Claim(JwtClaimTypes.WebSite, "http://alice.com"),
}).Result;
if (!result.Succeeded)
{
throw new Exception(result.Errors.First().Description);
}
UserManager.AddToRoleAsync(alice, "Admin").Wait();
//Log.Debug("alice created");
}
}
在我的WebApplication中,
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
但在控制器User.Claims中没有角色的声明,只有用户的声明。
所以,如果我想拥有角色声明,我应该通过提供ProfileService向IdentityServer中的用户添加角色声明,比如这个
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var id = context.Subject.FindFirst("sub").Value;
var user = _userManager.FindByIdAsync(id).Result;
var roles = _userManager.GetRolesAsync(user).Result;
var claims = new List<Claim>();
foreach (var role in roles)
{
var roleObj = _roleManager.FindByNameAsync(role).Result;
var roleClaims = _roleManager.GetClaimsAsync(roleObj).Result;
claims.AddRange(roleClaims);
}
var nameClaims = context.Subject.FindAll(JwtClaimTypes.Name);
context.IssuedClaims.AddRange(claims);
context.IssuedClaims.AddRange(nameClaims);
return Task.CompletedTask;
}
这是正确的路吗?或者有其他推荐的方法吗?
如有任何帮助,将不胜感激
要查看角色,您可能需要将其添加到AddJwtBearer:中
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
问题是IdentityServer和ASP.NET Core在角色声明的名称上不一致,因此需要在此处进行映射。
为了补充这个答案,我写了一篇博客文章,详细介绍了这个主题:在ASP.NET Core 中调试JwtBearer索赔问题