角色不被使用AddJWTBearer填充IdentityServer4和dotnetcore 2.0

Question

我使用这些组件与下面配置：

• IdentityServer4" 版本= “2.0.0-RC1
• IdentityServer4.AspNetIdentity” 版本=” 2.0.0-RC1

我在connect/token令牌请求给我一个正确的承载令牌，当我打电话使用[Authorize(JwtBearerDefaults.AuthenticationScheme)]与令牌的方法，授权似乎正常工作。

但是，角色是空的还是空的？
如何获取令牌请求以包含必要的ASPNET角色？

随着下列配置

services.AddAuthentication() 
     .AddOpenIdConnect(
     o => 
     { 
      o.Authority = "https://localhost:44319"; 
      o.ClientId = "api"; 
      o.ClientSecret = "secret"; 
      o.RequireHttpsMetadata = false; 
      o.GetClaimsFromUserInfoEndpoint = true; 
      o.TokenValidationParameters = new TokenValidationParameters 
      { 
       RoleClaimType = ClaimTypes.Role 
      }; 
     }) 
     .AddJwtBearer(o => 
      { 
       o.Authority = "https://localhost:44319"; 
       o.Audience = "api"; 
       o.RequireHttpsMetadata = false; 
       o.TokenValidationParameters = new TokenValidationParameters 
       { 
        RoleClaimType = ClaimTypes.Role 
       }; 
       o.SaveToken = true; 
      }); 

services.AddMemoryCache(); 
services.AddIdentity<ApplicationUser, ApplicationRole>(
     x => 
     { 
      x.Password.RequireNonAlphanumeric = false; 
      x.Password.RequireUppercase = false; 
     }) 
    .AddEntityFrameworkStores<FormWorkxContext>() 
    .AddDefaultTokenProviders() 
    .AddIdentityServer(); 

services.ConfigureApplicationCookie(options => 
{ 
    options.LoginPath = "/login"; 
    options.LogoutPath = "/logout"; 
    options.Events.OnRedirectToLogin = this.ProcessStatusCodeResponse; 
}); 

services.AddIdentityServer() 
    // .AddSigningCredential("CN=rizacert") 
    .AddDeveloperSigningCredential() 
    .AddInMemoryIdentityResources(Config.GetIdentityResources()) 
    .AddInMemoryApiResources(Config.GetApis()) 
    .AddInMemoryClients(Config.GetClients()) 
    .AddAspNetIdentity<ApplicationUser>(); 

和config.cs

private const string Api = "api"; 
private const string ClientSecret = "secret"; 

public static IEnumerable<ApiResource> GetApis() 
{ 
    return new List<ApiResource> 
    { 
     new ApiResource(Api, "formworkx api") 
    }; 
} 

public static IEnumerable<Client> GetClients() 
{ 
    return new List<Client> 
    { 
     new Client 
     { 
      ClientId = "api", 
      AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, 
      RequireConsent = false, 
      ClientSecrets = { new Secret(ClientSecret.Sha256()) }, 
      AllowedScopes = 
      { 
       IdentityServerConstants.StandardScopes.OpenId, 
       IdentityServerConstants.StandardScopes.Profile, 
       IdentityServerConstants.StandardScopes.OfflineAccess, 
       "api" 
      } 
     } 
    }; 
} 

public static IEnumerable<IdentityResource> GetIdentityResources() 
{ 
    return new List<IdentityResource> 
    { 
     new IdentityResources.OpenId(), 
     new IdentityResources.Profile(), 
    }; 
} 

Answer 1

根据权利要求类型需要在ApiResource要被请求。

public static IEnumerable<ApiResource> GetApis() 
{ 
    return new List<ApiResource> 
    { 
     new ApiResource(
      Api, 
      "formworkx api", 
      new[] 
      { 
       // exhaustive list of claims in a new 
       // dotnetcore 2.0 MVC application. 
       "nbf", 
       "exp", 
       "iss", 
       "aud", 
       "aud", 
       "client_id", 
       "sub", 
       "auth_time", 
       "idp", 
       "AspNet.Identity.SecurityStamp", 
       ClaimTypes.Role, // REQUESTED HERE 
       "preferred_username", 
       "name", 
       "email", 
       "email_verified", 
       "scope", 
       "amr" 
      }) 
    }; 
} 

此外，角色类型需要是正确的。

services.AddIdentity<ApplicationUser, ApplicationRole>(
    x => 
    { 
     x.Password.RequireNonAlphanumeric = false; 
     x.Password.RequireUppercase = false; 
    }) 
    .AddEntityFrameworkStores<FormWorkxContext>() 
    .AddDefaultTokenProviders() 
    .AddIdentityServer(); 

    // NB (hours of debugging..., AddIdentityServer uses "role") 
    services.Configure<IdentityOptions>(options => 
     options.ClaimsIdentity.RoleClaimType = ClaimTypes.Role);