我有一个使用 .NET Core API、Keycloak 和 JWT 令牌制作的应用程序。
我到目前为止一直在使用的旧版本的 Keycloak,当它创建 JWT 令牌时,它在有效负载上写入了角色:
{
"user_roles": [
"offline_access",
"uma_authorization",
"admin",
"create-realm"
]
}
但是现在我更新后,它正在将角色写在有效负载上:
{
"realm_access": {
"roles": [
"create-realm",
"teacher",
"offline_access",
"admin",
"uma_authorization"
]
},
}
我需要知道如何将旧代码更改为新代码,告诉他们不要看
user_roles
,而要先看realm_access
,然后再看roles
。
public void AddAuthorization(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("Administrator", policy => policy.RequireClaim("user_roles", "admin"));
options.AddPolicy("Teacher", policy => policy.RequireClaim("user_roles", "teacher"));
options.AddPolicy("Pupil", policy => policy.RequireClaim("user_roles", "pupil"));
options.AddPolicy(
"AdminOrTeacher",
policyBuilder => policyBuilder.RequireAssertion(
context => context.User.HasClaim(claim =>
claim.Type == "user_roles" && (claim.Value == "admin" || claim.Value == "teacher")
))
);
});
}
以下代码会将 Keycloak (v4.7.0) 中的“realm_access.roles”声明(JWT 令牌)转换为 Microsoft 身份模型角色声明:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddTransient<IClaimsTransformation, ClaimsTransformer>();
...
}
public class ClaimsTransformer : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
ClaimsIdentity claimsIdentity = (ClaimsIdentity)principal.Identity;
// flatten realm_access because Microsoft identity model doesn't support nested claims
// by map it to Microsoft identity model, because automatic JWT bearer token mapping already processed here
if (claimsIdentity.IsAuthenticated && claimsIdentity.HasClaim((claim) => claim.Type == "realm_access"))
{
var realmAccessClaim = claimsIdentity.FindFirst((claim) => claim.Type == "realm_access");
var realmAccessAsDict = JsonConvert.DeserializeObject<Dictionary<string, string[]>>(realmAccessClaim.Value);
if (realmAccessAsDict["roles"] != null)
{
foreach (var role in realmAccessAsDict["roles"])
{
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, role));
}
}
}
return Task.FromResult(principal);
}
}
对于任何未来的读者 - 您可以使用 RequireAssertion 方法解析来自 JWT 的任何声明值。
services.AddAuthorization(options => options.AddPolicy("Administrator", policy =>
policy.RequireAssertion(c =>
JsonSerializer.Deserialize<Dictionary<string, string[]>>(c.User?.FindFirst((claim) => claim.Type == "realm_access")?.Value ?? "{}")
.FirstOrDefault().Value?.Any(v => v == "admin") ?? false)));
当我尝试使用具有不同角色的用户访问管理员的方法时,我收到服务器错误 500