将用户声明放在Identity Server 4中的位置

问题描述 投票:0回答:1

我正在使用Identity Server 4来管理我组织中所有应用程序的登录名。因此,我已经部署了IdentityServer 4并将其连接到sql server数据库。现在,我有5个客户端应用程序,每个应用程序都有其自己的角色/声明(即,应用程序1具有经理,会计,而应用程序2具有开发人员,经理,电工,应用程序3具有设计师,管理员,审阅者...)。我的问题是:我应该将这些用户角色/声明放入Identityserver4数据库中,还是应该将每个应用程序的数据库都拥有自己的用户角色/声明?

谢谢

sql identityserver4 claims-based-identity
1个回答
0
投票

您可以通过向IdentityServer数据库添加一个额外的表来解决它,例如RoleClientAuthorizations。您需要在此表中保留RoleId,ClientId和AuthorizationLevel。

然后,您可以在运行时在ProfileService中返回有关该客户端的所有声明。

public class ProfileService : IProfileService
{
    private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
    private readonly UserManager<ApplicationUser> _userManager;
    private readonly IClientService _clientService;
    public ProfileService(UserManager<ApplicationUser> userManager, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory,IClientService clientService)
    {
        _userManager = userManager;
        _claimsFactory = claimsFactory;
        _clientService = clientService;
    }
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var sub = context.Subject.GetSubjectId();
        var user = await _userManager.FindByIdAsync(sub);
        var principal = await _claimsFactory.CreateAsync(user);
        var clientId = context.Client.ClientId;

        var claims = principal.Claims.ToList();

        --You will get role client information from RoleClientAuthorization table here
        var userAuthorizationLevelClaim = _clientService.GetUserAuthorizationLevel(clientId, sub);
        if(userAuthorizationLevelClaim != null)
        {
            claims.Add(new Claim("authorizationLevelCode", userAuthorizationLevelClaim.AuthorizationLevelId.ToString()));
            claims.Add(new Claim("authorizationPrivilegeType", userAuthorizationLevelClaim.PrivilegeType));
        }

        context.IssuedClaims = claims;
    }

    public async Task IsActiveAsync(IsActiveContext context)
    {
        var sub = context.Subject.GetSubjectId();
        var user = await _userManager.FindByIdAsync(sub);
        context.IsActive = user != null;
    }

正在启动;

services.AddIdentity()
        .AddProfileService<ProfileService>();
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.