我正在使用Identity Server 4来管理我组织中所有应用程序的登录名。因此,我已经部署了IdentityServer 4并将其连接到sql server数据库。现在,我有5个客户端应用程序,每个应用程序都有其自己的角色/声明(即,应用程序1具有经理,会计,而应用程序2具有开发人员,经理,电工,应用程序3具有设计师,管理员,审阅者...)。我的问题是:我应该将这些用户角色/声明放入Identityserver4数据库中,还是应该将每个应用程序的数据库都拥有自己的用户角色/声明?
谢谢
您可以通过向IdentityServer数据库添加一个额外的表来解决它,例如RoleClientAuthorizations。您需要在此表中保留RoleId,ClientId和AuthorizationLevel。
然后,您可以在运行时在ProfileService中返回有关该客户端的所有声明。
public class ProfileService : IProfileService
{
private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
private readonly UserManager<ApplicationUser> _userManager;
private readonly IClientService _clientService;
public ProfileService(UserManager<ApplicationUser> userManager, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory,IClientService clientService)
{
_userManager = userManager;
_claimsFactory = claimsFactory;
_clientService = clientService;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var clientId = context.Client.ClientId;
var claims = principal.Claims.ToList();
--You will get role client information from RoleClientAuthorization table here
var userAuthorizationLevelClaim = _clientService.GetUserAuthorizationLevel(clientId, sub);
if(userAuthorizationLevelClaim != null)
{
claims.Add(new Claim("authorizationLevelCode", userAuthorizationLevelClaim.AuthorizationLevelId.ToString()));
claims.Add(new Claim("authorizationPrivilegeType", userAuthorizationLevelClaim.PrivilegeType));
}
context.IssuedClaims = claims;
}
public async Task IsActiveAsync(IsActiveContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
context.IsActive = user != null;
}
正在启动;
services.AddIdentity()
.AddProfileService<ProfileService>();