The. NET core Identity Integration Identityserver (2) implements the Iprofileservice interface to add custom claims in Accesstoken

Guide

1. How to add a custom claims.

Pre-Request Summary

We currently have three Web applications.

1. LOCALHOST:40010, verifying the server
2. localhost:40011, MVC client, acting as WebApp requestor
3. localhost:40012, Webapi, resource, protected by authentication server

After Http://localhost:40011/Home/secure login, we see a lot of claims, which have name, (username field from aspnetusers table)

So, what if I want to add other fields to the Accesstoken, such as the user avatar URL, gender, etc.

So, let's get down to work.

Open the Model/applicationuser file for the authentication server (this time only needs to modify the authentication server) , add two fields

Then add two fields to the corresponding data table.

Added a profileservice inherited from IdentityServer4.Services.IProfileService

Public class CustomProfileService : IProfileService
    {
        Private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
        Private readonly UserManager<ApplicationUser> _userManager;

        Public CustomProfileService(UserManager<ApplicationUser> userManager, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory)
        {
            _userManager = userManager;
            _claimsFactory = claimsFactory;
        }

        Public async Task GetProfileDataAsync(ProfileDataRequestContext context)
        {
            / / Get the ID of the logged in user
            Var sub = context.Subject.GetSubjectId();
            Var user = await _userManager.FindByIdAsync(sub);
            / / Create a credential with the current user as the main body
            Var principal = await _claimsFactory.CreateAsync(user);

            Var claims = principal.Claims.ToList();
            //idsv server default claim
            Claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();

            / / Custom claims interval
            claims.Add(new Claim(JwtClaimTypes.GivenName, user.UserName));
            claims.Add(new Claim("headimgurl", user.HeadImgUrl));
            claims.Add(new Claim("gender", user.Gender));

            / / Set claims
            context.IssuedClaims = claims;

        }

        Public async Task IsActiveAsync(IsActiveContext context)
        {
            Var sub = context.Subject.GetSubjectId();
            Var user = await _userManager.FindByIdAsync(sub);
            context.IsActive = user != null;
        }
    } 

Then add a custom ProfileService injection in the startup registration IDSV Place

Services. Addidentityserver ()
. Adddevelopersigningcredential ()
. Addinmemorypersistedgrants ()
. Addinmemoryidentityresources (Authorizationconfig.getidentityresources ())
. Addinmemoryapiresources (Authorizationconfig.apiresources ())
. Addinmemoryclients (Authorizationconfig.clients ())
. Addaspnetidentity<applicationuser> ()
. Addprofileservice<customprofileservice> ();

Run all the Services

The diagram on the left is a custom claims read by the MVC client, and the right side is the information that Webapi gets after the MVC client goes to request a protected WEBAPI

Attention

With the use of ProfileService, claims can be sent to the client in an uncontrolled manner.

What does that mean, how do you understand it?

In our IDSV configuration class, there are identityresources, clients, and apiresources, which restrict the server resources that the client can request.

In the startup of the client program, we can see a line of code

This is where the client adds the resources it can access. We will be in the future consent authorization page to elaborate on this knowledge

Then, through the ProfileService issued by claims, any clients can get

The. NET core Identity Integration Identityserver (2) implements the Iprofileservice interface to add custom claims in Accesstoken