OpenID Connect: How to add custom claims data in the client credential flow

隐身守侯 提交于 2020-06-16 09:43:46

问题


I'm setting up a client credential flow with my identity server to get an access token from a client. I'm able to get the access token with the following code,

  • Identity server configuration:

     public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            var corsPolicyService = new DefaultCorsPolicyService()
            {
                AllowAll = true
            };
    
            var idServerServiceFactory = new IdentityServerServiceFactory()
            .UseInMemoryClients(Clients.Get())
            .UseInMemoryScopes(Scopes.Get())
            .UseInMemoryUsers(Users.Get());
    
            var options = new IdentityServerOptions
            {
                Factory = idServerServiceFactory,
                SiteName = "Demo",
                IssuerUri = IdentityConstants.IssuerUri,
                PublicOrigin = IdentityConstants.STSOrigin,
                SigningCertificate = LoadCertificate()
            };
    
            idsrvApp.UseIdentityServer(options);
        });
    }
    
  • Identity Server - Client configuration:

    public static class Clients
    {
        public static IEnumerable<Client> Get()
        {
        return new[]
         {
            new Client
            {
                 ClientId = "ClientSDK",
                 ClientName = "Client SDK (Client Credentials)",
                 Flow = Flows.ClientCredentials,
                 AllowAccessToAllScopes = true,
    
                ClientSecrets = new List<Secret>()
                {
                    new Secret(IdentityConstants.ClientSecret.Sha256())
                }
            }
         };
    }
    

    }

  • MVC Client:

      var oAuth2Client = new TokenClient(
                  IdentityConstants.STSTokenEndpoint,
                  "ClientSDK",
                    IdentityConstants.ClientSecret);
    
        var tokenResponse = oAuth2Client.RequestClientCredentialsAsync("MyScope").Result;
    
        return tokenResponse.AccessToken;
    

I'm able to get the access token(i.e. JWT). Can one please tell me how to add a unique key like (UserId) from my database, when the JWT is created with its claims data when the token is created.


回答1:


First, you need to create custom attribute "userId" on Azure Portal, and apply it for selected application. Then follow this example, Update user using Graph API

If you are using built in user flows, then you need to select "userId" for your application. If you are using custom policy, then following process. JWT token shows only output claims of Azure AD B2C custom policy. It is a multi steps process to create and update custom policy. Here is link to read more about How to create custom attribute




回答2:


You should implement custom user store for validating user and adding claims from database. Change startup code like below, Userrepository class represents database communication to authenticate user and get claims from database:

var idServerServiceFactory = new IdentityServerServiceFactory()
   .UseInMemoryClients(Clients.Get())
   .UseInMemoryScopes(Scopes.Get())
   .AddCustomUserStore();

Add below classes and change according to your requirement:

public static class CustomIdentityServerBuilderExtensions
{
    public static IIdentityServerBuilder AddCustomUserStore(this IIdentityServerBuilder builder)
    {                   
        builder.AddProfileService<UserProfileService>();           
        builder.AddResourceOwnerValidator<UserResourceOwnerPasswordValidator>();
        return builder;
    }
}

public class UserProfileService : IProfileService
{
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
            UserRepository userRepository=new UserRepository();
            var user = userRepository.GetUserById(int.Parse(context.Subject.GetSubjectId()));
            if (user != null)
            {
                var userTokenModel = _mapper.Map<UserTokenModel>(user);
                var claims = new List<Claim>();
                claims.Add(new Claim("UserId", user.UserId));
                // Add another claims here 
                context.IssuedClaims.AddRange(claims);                    
    }
    public async Task IsActiveAsync(IsActiveContext context)
    {          
    }
}

public class UserResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{        
    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {           
            UserRepository userRepository=new UserRepository();
            var userLoginStatus = userRepository.GetUserById(context.UserName, context.Password);

            if (userLoginStatus != null)
            {

                    context.Result = new GrantValidationResult(userLoginStatus.UserId.ToString(),
                         OidcConstants.AuthenticationMethods.Password);                   
            }
            else
            {                    
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient, 
                        "Wrong Credentials");
            }            
    }
}


来源:https://stackoverflow.com/questions/61608289/openid-connect-how-to-add-custom-claims-data-in-the-client-credential-flow

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!