我们有一个非常标准的IdSrv4配置,其客户端支持HybridAndClientCredentials授权流程(MVC网站):
seqdss(rec.seq)
# Sequence
# 2103 A
# 3972 C
# 5238 C
# 4977 C
# 528 A
有关 MVC客户端配置的多个问题:
public void ConfigureServices( IServiceCollection services ) {
services.AddMvc();
services.AddIdentityServer()
.AddInMemoryClients(Clients.Get())
.AddInMemoryIdentityResources(Resources.GetIdentityResources())
.AddInMemoryApiResources(Resources.GetApiResources())
.AddTestUsers(Users.Get())
.AddDeveloperSigningCredential();
services.AddAuthentication()
.AddGoogle( "Google", options => {
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.ClientId = "xxxxx.apps.googleusercontent.com";
options.ClientSecret = "xxxxx";
} );
.AddFacebook(...)
}
仅使用社交认证的充分配置是什么?
答案 0 :(得分:0)
看起来添加OpenIdConnect中间件对于社交供应商身份验证方案来说已足够。
考虑到Cookie的限制,我仍然在试图找出管理附加声明的最佳做法。
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication( options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
} )
.AddCookie()
.AddOpenIdConnect( OpenIdConnectDefaults.AuthenticationScheme, options => {
options.RequireHttpsMetadata = false; //-- change it for production
options.GetClaimsFromUserInfoEndpoint = true;
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = "http://localhost:5010";
options.ClientId = "xxx";
options.ClientSecret = "xxx.secret";
options.ResponseType = "code id_token";
options.SaveTokens = true;
//options.Scope.Clear(); //-- requires more research
options.Scope.Add( "xxx-api" );
options.Scope.Add( "email" );
options.Scope.Add( "offline_access" );
options.TokenValidationParameters =
new TokenValidationParameters { NameClaimType = "name", RoleClaimType = "role" };
//options.ClaimActions.MapUniqueJsonKey(); //-- requires more research
} );