IdentityServer4之Claim(自定义身份资源)

IdentityServer4之Claim(自定义身份资源)

接前面讲到角色的权限控制，地址：

https://mp.weixin.qq.com/s?__biz=MzkxNDMyNDY5Ng==&mid=2247484460&idx=1&sn=307e8e135315f34ad2296bd03dcb2ded&chksm=c171699bf606e08d4ddb865dda53de674ddd8424e5ac131ca67545152b189eb9b2f0463a3572&token=1436306399&lang=zh_CN#rd

这里讲讲自定义身份资源。

 

身份资源也是数据，如用户ID，姓名或用户的电子邮件地址。 身份资源具有唯一的名称，您可以为其分配任意身份信息单元（比如姓名、性别、身份证号和有效期等都是身份证的身份信息单元）类型。

定义用户 ：

public static List<TestUser> GetUsers()

        {

            return new List<TestUser>

            {

                new TestUser

                {

                    SubjectId = "1",

                    Username = "alice",

                    Password = "password",

                    Claims = new List<Claim>(){new Claim(JwtClaimTypes.Role,"superadmin") }

                },

                new TestUser

                {

                    SubjectId = "2",

                    Username = "bob",

                    Password = "password",

                    Claims = new List<Claim>(){new Claim(JwtClaimTypes.Role,"superadmin") }

                },

                new TestUser

                {

                    SubjectId = "3",

                    Username = "yak",

                    Password = "yakpassword",

                    Claims = new List<Claim>(){new Claim(JwtClaimTypes.Role, "admin"),new Claim("性别","男"),new Claim(JwtClaimTypes.Address, "上海") }

 

                }

            };

        }

 

 

自定义身份资源：

public static IEnumerable<IdentityResource> GetIdentityResources()

        {

            var customProfile = new IdentityResource(

                name: "custom.profile",

                displayName: "Custom profile",

                userClaims: new[] { "role", "address", "性别" });

            return new IdentityResource[]

            {

                new IdentityResources.OpenId(),//未添加导致scope错误

                new IdentityResources.Profile(),

                customProfile

            };

        }

配置Scope
通过上面的代码，我们自定义了一个名为“customProfile“的身份资源，他包含了"role" ,”性别”，“address”，Claim(可以包含多个Claim)，然后我们还需要配置Scope，我们才能访问到：

 

public static IEnumerable<Client> GetClients()

        {

            return new List<Client>

            {

                new Client

                {

                    ClientId = "yakclient",

                    AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,

 

                    ClientSecrets =

                    {

                        new Secret("yaksecret".Sha256())

                    },

                    AllowedScopes = { "api1", IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile, "custom.profile" }//需要额外添加

                }

            };

        }                }

这些身份信息单元将被包含在用户的身份标识（Id Token）中。 客户端将使用scope参数来请求访问身份资源。

使用Postman访问IDS4服务获取Access_Token

地址：http://localhost:5000/connect/token

参数：

grant_type:password

client_id:yakclient

client_secret:yaksecret

username:yak

password:yakpassword

 

 

 

使用Postman访问IDS4服务获取用户的身份资源

地址：http://localhost:5000/connect/userinfo

参数：

Authorization:Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjYxQTgyRkRDMjMzMDdBODgyRjlENkE2RUQ5MDQwMkY2IiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2NDY2Mzk1MjksImV4cCI6MTY0NjY0MzEyOSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiY2xpZW50X2lkIjoieWFrY2xpZW50Iiwic3ViIjoiMyIsImF1dGhfdGltZSI6MTY0NjYzOTUyOSwiaWRwIjoibG9jYWwiLCJyb2xlIjoiYWRtaW4iLCJqdGkiOiIyQUNBQzU3QjdCQjU1MUFBMjQwQTlGQ0REOTM1NDNFMiIsImlhdCI6MTY0NjYzOTUyOSwic2NvcGUiOlsiYXBpMSIsImN1c3RvbS5wcm9maWxlIiwib3BlbmlkIiwicHJvZmlsZSJdLCJhbXIiOlsicHdkIl19.iE_0AlzUkTRtIUsbHl12gDtU1nV4UEUdWQBRpaddK1ikg2qgHcygf7NFFzztCME0XqZuwNVzGJ_v4D2mx0hsJjNEpDPSnDczxGqt8_ZI1fy5ZoaClY7ejMV7hdB_6Fs6CtOykiEUg0c7ayHtw7X_LEkdrt8LL5s8CdScI0B5hf6XkaonVw1aFKwSU6K8xdkflf3zjbu2Or6YOYlaNFMcBveZctNQzrCjzWcUqKV_Uv9_kORPdaJGxF1VgSAW26gJWEfBTcu8sPx9_C7RpNrWgIjIf6-uNiDNIslZxW8F3cZsOgXw4-xwKXDEbzBMJc7VnS9mI1egLMOwaMfLEFqLeA

 

 

 

 

服务端打印：

 

 

 

 

 

鸣谢：

https://gitee.com/github_mirrors/identityserver4_doc.zh-cn

https://www.cnblogs.com/stulzq/p/8726002.html