问题描述:

I'm following the Using OAuth to Secure Your ASP.NET API course on Pluralsight. I've set up IdentityServer with a number of InMemoryUsers, one of which looks like this...

public static List<InMemoryUser> Get()

{

return new List<InMemoryUser>

{

new InMemoryUser

{

Username = "[email protected]",

Password = "password",

Subject = "[email protected]",

Claims = new[]

{

new Claim(Constants.ClaimTypes.Id, "96cddc1de66641829237b7f09869b1c8"),

new Claim(Constants.ClaimTypes.Name, "Some Full name example

}

},

};

}

If I authorise the user and use the supplied access token to call the API, the claims collection, for that user, looks like this ...

((User as System.Security.Claims.ClaimsPrincipal).Identities.First() as System.Security.Claims.ClaimsIdentity).Claims.ToList()

Count = 10

[0]: {iss: https://localhost:44375}

[1]: {aud: https://localhost:44375/resources}

[2]: {exp: 1468920204}

[3]: {nbf: 1468916604}

[4]: {client_id: my_clientid}

[5]: {scope: openid}

[6]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: [email protected]}

[7]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant: 1468916604}

[8]: {http://schemas.microsoft.com/identity/claims/identityprovider: idsrv}

[9]: {http://schemas.microsoft.com/claims/authnmethodsreferences: password}

If I drop the access key that I'm using in to the debugger at jwt.io I get this...

{

"iss": "https://localhost:44375",

"aud": "https://localhost:44375/resources",

"exp": 1468921471,

"nbf": 1468917871,

"client_id": "my_clientid,

"scope": "openid",

"sub": "[email protected]",

"auth_time": 1468917871,

"idp": "idsrv",

"amr": [

"password"

]

}

I'm unclear what it is I'm doing, or not doing, that is stopping the Claims that are defined from being returned.

Any ideas?

网友答案:

You are hitting the default behaviour of Microsoft's JWT token handler.

Microsoft thinks it knows what claim types are best for you so they do you a favour and change them on the fly (so they think).

you can either accept that - or turn that behaviour off by calling this beautiful piece of code somewhere (e.g. in startup):

JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()

相关阅读:
Top