我创建了一个具有个人帐户安全性的asp.net核心web应用程序,并将其配置为用于外部spa的授权/身份验证。我在appset5tings.json文件中添加了以下配置
{
"ConnectionStrings":
{
"DefaultConnection":
"Server=localhost;Database=itrSts;Trusted_Connection=True;MultipleActiveResultSets=true"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"IdentityServer": {
"Clients": {
"itr.childcare.webapp": {
"Profile": "SPA",
"RedirectUri": "http://localhost:3000/signin-callback",
"LogoutUri": "http://localhost:3000/signout-callback",
"AccessTokenLifetime": 600,
"Scopes": "openid profile gateway-api roles"
},
"Itr.Sts": {
"Profile": "IdentityServerSPA"
}
}
"Resources": {
"gateway-api": {
"Profile": "API",
"UserClaims": [
"role"
]
}
}
}}
当";openid配置文件网关api";请求了作用域,但当也请求了角色作用域时,我得到了无效的作用域错误。有人能帮助我并告诉我应该怎么做吗?感谢
缺少的是标识资源定义。他们定义了哪些声明(包括角色(应该提供给客户。
请参阅这篇关于标识资源的文章。
如果您使用的是IdentityServer4版本4.x,那么您还应该研究定义ApiScopes。
在代码中,IdentityResources的定义可以如下所示:
var employeeInfoScope = new IdentityResource()
{
Name = "employee_info",
DisplayName = "Employee information",
Description = "Employee information including seniority and status...",
Emphasize = true,
Enabled = true,
Required = true,
ShowInDiscoveryDocument = true,
UserClaims = new List<string>
{
"employment_start",
"seniority",
"contractor",
"employee",
}
};
_identityResources = new List<IdentityResource>()
{
new IdentityResources.OpenId(),
new IdentityResources.Email(),
new IdentityResources.Profile(),
new IdentityResources.Address(),
employeeInfoScope
};
为了补充这个答案,我写了一篇博客文章,详细介绍了这个话题:IdentityServer–IdentityResource与ApiResource与ApiScope