IdentityServer4 - (2) 资源定义

于 2018-11-24 14:30:00 发布
阅读量256 收藏
点赞数
CC 4.0 BY-SA版权
文章标签: c#
原文链接:https://my.oschina.net/u/2401395/blog/2960509

Defining Resources¶【资源定义】

    The first thing you will typically define in your system are the resources that you want to protect. That could be identity information of your users, like profile data or email addresses, or access to APIs.

在系统设计时,通常会做的第一件事就是定义要保护的资源。 这可能是您的用户的身份信息,如个人资料数据或电子邮件地址,或访问API。

Note

You can define resources using a C# object model - or load them from a data store. An implementation of IResourceStore deals with these low-level details. For this document we are using the in-memory implementation.【您可以把要定义的资源(硬编码)创建为C#中的对象模型,或从数据存储中加载它们(配置)。 IResourceStore实现类实现了低层的处理逻辑。 本文使用的是in-memory实现。】

Defining identity resources¶【身份资源定义】

    Identity resources are data like user ID, name, or email address of a user. An identity resource has a unique name, and you can assign arbitrary claim types to it. These claims will then be included in the identity token for the user. The client will use the scope parameter to request access to an identity resource.【身份资源也是数据,如用户ID,姓名或用户的电子邮件地址。 身份资源具有唯一的名称,您可以为其分配任意身份信息单元(声明类型)(比如姓名、性别、身份证号和有效期等都是身份证的身份信息单元)类型。 这些身份信息单元将会在后面被包含在用户的身份标识(Id Token)中。 客户端将使用scope参数来请求访问身份资源。】

    The OpenID Connect specification specifies a couple of standard identity resources. The minimum requirement is, that you provide support for emitting a unique ID for your users - also called the subject id. This is done by exposing the standard identity resource called openid:【OpenID Connect规范指定了一对标准的身份资源。 最低要求是,要提供能给用户颁发唯一的ID - 也称为subject id(sid)的支持。 这是通过暴露称为openid的标准身份资源来完成的:】

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId()
    };
}

    The IdentityResources class supports all scopes defined in the specification (openid, email, profile, telephone, and address). If you want to support them all, you can add them to your list of supported identity resources:【IdentityResources类支持在规范中定义的所有作用域(scope)(openid,email,profile,电话和地址)。 如果您想全部支持,可以将它们添加到受支持的身份资源列表中:】

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Email(),
        new IdentityResources.Profile(),
        new IdentityResources.Phone(),
        new IdentityResources.Address()
    };
}

Defining custom identity resources¶【自定义身份资源定义】

    You can also define custom identity resources. Create a new IdentityResource class, give it a name and optionally a display name and description and define which user claims should be included in the identity token when this resource gets requested:【您还可以自定义身份资源。 创建一个新的IdentityResource类,为其指定一个名称(name)以及一个可选的显示名称(displayName)和描述,并定义在请求此资源时哪些用户身份单元声明类型(claimTypes)应将被包含在身份令牌(Id Token)中:】

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    var customProfile = new IdentityResource(
        name: "custom.profile",
        displayName: "Custom profile",
        claimTypes: new[] { "name", "email", "status" });

    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
        customProfile
    };
}

See the reference section for more information on identity resource settings.【有关身份资源设置的更多信息,请参阅参考部分。】

Defining API resourcesAPI资源定义

To allow clients to request access tokens for APIs, you need to define API resources, e.g.:【为了允许客户请求APIs的访问令牌,需要定义API资源,例如:】

To get access tokens for APIs, you also need to register them as a scope. This time the scope type is of type Resource:【要获取APIs的访问权限令牌,您还需要将它们作为一种范围(scope)来注册。这次的范围类型是Resource的类型:】

public static IEnumerable<ApiResource> GetApis()
{
    return new[]
    {
        // simple API with a single scope (in this case the scope name is the same as the api name)
        new ApiResource("api1", "Some API 1"),

        // expanded version if more control is needed
        new ApiResource
        {
            Name = "api2",

            // secret for using introspection endpoint
            ApiSecrets =
            {
                new Secret("secret".Sha256())
            },

            // include the following using claims in access token (in addition to subject id)
            UserClaims = { JwtClaimTypes.Name, JwtClaimTypes.Email },

            // this API defines two scopes
            Scopes =
            {
                new Scope()
                {
                    Name = "api2.full_access",
                    DisplayName = "Full access to API 2",
                },
                new Scope
                {
                    Name = "api2.read_only",
                    DisplayName = "Read only access to API 2"
                }
            }
        }
    };
}

See the reference section for more information on API resource settings.【有关API资源设置的更多信息,请参阅参考部分。】

Note

The user claims defined by resources are loaded by the IProfileService extensibility point.【IProfileService扩展点负责加载由资源定义的用户声明。】

转载于:https://my.oschina.net/u/2401395/blog/2960509

cibi7188
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值