我有一个 ASP.NET Core 应用程序,它使用以下配置使用 OpenIdConnect 身份验证:
builder.Services.AddAuthentication()
.AddOpenIdConnect(
"oidc",
o =>
{
builder.Configuration.GetSection("Identity").Bind(o);
o.ClientId = "webui";
o.ClientSecret = "****";
o.CallbackPath = "/cb_openIdConnect";
o.SaveTokens = true;
o.ResponseType = OpenIdConnectResponseType.Code;
o.GetClaimsFromUserInfoEndpoint = true;
o.Scope.Add("email");
o.Scope.Add("profile");
o.UsePkce = true;
o.ClaimActions.MapUniqueJsonKey("given_name", "given_name");
});
IDP服务器是我控制的运行OpenIddict的服务器。即使我启用了
GetClaimsFromUserInfoEndpoint当我添加
OnUserInformationReceivedgiven_name o.Events.OnUserInformationReceived = e =>
{
Console.WriteLine(e.User.ToString());
return Task.CompletedTask;
};
"{ "sub": "****", "given_name": "***", "family_name": "****" }"
但是,当我访问
返回的
given_name的声明时,
UserPrincipal 不存在
AuthenticationStateProvider.
我还尝试添加虚假值,但即使该值在页面内的声明列表中也不可见:
o.Events.OnUserInformationReceived = e =>
{
e.Principal?.AddClaim("given_name", "wef");
return Task.CompletedTask;
};
如何将我的声明从 OIDC 用户信息端点获取到
HttpContextUserPrincipal无论我如何尝试,我的声明只包含以下类型:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
AspNet.Identity.SecurityStamp
技术堆栈默认使用旧的 WS-Federation 声明名称。您需要像这样更新代码才能使用 OpenID Connect 声明名称:
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
builder.Services.AddAuthentication()
然后您应该得到诸如
subgiven_nameemailscope