我有API,它使用JWTBearerAuthentication。从身份验证的角度来看,一切都很好。但是,在验证完成后,需要更新主体的索赔。有些信息我必须从源(令牌(声明中获得,而不是从中接收。我在想,如果有一种方法,在验证成功后,我可以向现有的声明身份/主体添加一些声明,以执行一些访问权限。下面是我的入门课中的示例代码。
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
TokenHandler = new ValidateJwtSecurityTokenHandlerforLogs(_loggingService, _environment),
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = OpenIDConfiguration.Permission,
ValidateAudience = false,
ValidIssuer = authority,
IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
{
var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
return discoveryDocument.SigningKeys;
}
}
});
您有几个选项可以在身份验证后修改声明:
一种选择是
options.Events = new JwtBearerEvents()
{
OnTokenValidated = context =>
{
// Token has passed validation and a ClaimsIdentity has been generated.
context.Principal.Identities.First().AddClaim(new Claim("VIPCustomer", "YES"));
return Task.CompletedTask;
}
};
为了实现更高级的索赔转换场景,我们可以添加一个自定义转换类
public class BonusLevelClaimTransformation : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
if (!principal.HasClaim(c => c.Type == "bonuslevel"))
{
//Lookup bonus level.....
principal.Identities.First().AddClaim(new Claim("bonuslevel", "12345"));
}
return Task.FromResult(principal);
}
}
然后我们在Startup.cs:中注册
services.AddTransient<IClaimsTransformation, BonusLevelClaimTransformation>();