问题描述
我有一个系统,如果用户以乔"角色以只读"身份登录,那么将授予他仅读取内容的权限(显然),但是如果他以角色" Joe身份登录,则他将有权执行管理功能.但是,如果他希望从只读"角色更改为管理员"角色,我希望他必须重新登录,以便他可以将自己的帐户以只读状态登录到显示屏幕或其他内容,而不必担心有人劫持了他的管理员权限.
I have a system where if the user logs in as Joe with the role "Readonly" then he will be granted access only to read things (fairly obviously) however if he logs in as Joe with the role "Administrator" then he will have access to do administrative functions. However I want him to have to relogin if he wishes to change from the Readonly role to the Administrator role so that he could potentially leave his account logged in as Readonly on a display screen or something without fear of someone hijacking his Administrator priviledges.
现在,我还需要能够通过隐式授权登录Web客户端,或者通过代码授权登录另一台服务器,并使该服务也能够使用相同的角色(同时仍然要求Joe以登录身份登录)如果尚未通过身份验证,则为特定角色.)
Now I also need to be able to log in a Web client via an implicit grant or another server via a code grant and have that service be able to use the same roles as well (while still requiring Joe to log in as the particular role if he isn't already authenticated.)
现在,我一直在尝试使用IdentityServer3进行此操作,但是我似乎无法获得角色信息作为用户身份验证的一部分,因此我尝试在令牌请求中添加一个role:ReadOnly的acr_value(然后变成令牌请求)如果用户未登录,则返回一个身份验证请求),但是如果他们使用ReadOnly的acr_value登录,然后再次使用Adminstrator的acr_value登录,则由于他们已经通过用户身份验证,因此它只能让他们进入.
Now I have been trying to do this with IdentityServer3 but I cant seem to get the role information to be part of the authentication for the user, I tried adding an acr_value of role:ReadOnly to the token request (which then turns into an authentication request if the user is not logged in) but if they log in with the acr_value of ReadOnly and then come back to log in with the acr_value of Adminstrator it just lets them on in because they are already authenticated as the user.
在这个OAuth2/OpenID Connect世界中,关于我应该使用什么而不是我正在做的事情或我可能完全不了解的任何提示?
Any tips on what I should be using instead of what I am doing or how I might be completely off base in this OAuth2/OpenID Connect world?
推荐答案
我终于弄明白了,所以对于那些可能想在这里做同样事情的人来说,我就是这样做的.
I finally figured it out so for others who might want to do the same thing here is what I did.
首先,您要构建一个自定义UserService,该服务在acr_values中查找以获取其他信息.然后在AuthenticateResult中为该额外信息创建声明.其次,您必须重写ClaimProvider,以将第一步中的自定义声明集包含在生成的令牌中.接下来,您需要一个CustomRequestValidator来检查是否设置了一个新的acr_value,与当前使用的令牌中存储的acr_value相比.如果更改了并且您想强制用户重新认证,则可以设置"request.PromptMode ="login";就是这样,使用这组步骤,我现在可以使用3个值(用户名,密码和角色)对用户进行身份验证,如果角色请求更改,我可以要求他们重新进行身份验证.
First you have build a custom UserService that looks in the acr_values for extra information. Then create a claim for that extra information in the AuthenticateResult.Second you have to override the ClaimProvider to include your custom claim set in step one in the tokens generated.Next you need a CustomRequestValidator in order to check if a new acr_value is being set compared to the one you have stored in token being currently used. If it has changed and you want to force the user to reauthenticate you can set 'request.PromptMode = "login";'And that is it, using that set of steps I can now authenticate a user using 3 values (username, password, and role) and if the role requested changes I can require them to reauthenticate.
畅游工程.
这篇关于用户登录时,IdentityServer3需要一个角色(作为附加证书)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!