lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-04-05 17:38:03 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update the claim destinations documentation to use the new SetDestinations() overload introduced in OpenIddict 4.0

Browse Source
This commit is contained in:
Kévin Chalet 2023-03-25 19:07:59 +01:00
parent e96a6d4737
commit 4a15fe07f5
1 changed files with 18 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
configuration/claim-destinations.md
View File

@ -17,7 +17,7 @@ For these reasons, **OpenIddict doesn't automatically copy the claims attached t
to an access or identity token, a flag known as "claim destination" must be added to each `Claim` instance you want to expose. to an access or identity token, a flag known as "claim destination" must be added to each `Claim` instance you want to expose.
> [!NOTE] > [!NOTE]
> To attach one or multiple destinations to a claim, use the `claim.SetDestinations()` extension defined in `OpenIddict.Abstractions`. > To attach one or multiple destinations to a claim, use the `principal.SetDestinations()` extension defined in `OpenIddict.Abstractions`.
> In the typical case, granted scopes can be used to determine what claims are allowed to be copied to access and identity tokens, as in this example: > In the typical case, granted scopes can be used to determine what claims are allowed to be copied to access and identity tokens, as in this example:
```csharp ```csharp
@ -28,31 +28,27 @@ var principal = await _signInManager.CreateUserPrincipalAsync(user);
// For that, simply restrict the list of scopes before calling SetScopes(). // For that, simply restrict the list of scopes before calling SetScopes().
principal.SetScopes(request.GetScopes()); principal.SetScopes(request.GetScopes());
principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync()); principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
principal.SetDestinations(static claim => claim.Type switch
foreach (var claim in principal.Claims)
{ {
claim.SetDestinations(claim.Type switch // If the "profile" scope was granted, allow the "name" claim to be
// added to the access and identity tokens derived from the principal.
Claims.Name when claim.Subject.HasScope(Scopes.Profile) => new[]
{ {
// If the "profile" scope was granted, allow the "name" claim to be OpenIddictConstants.Destinations.AccessToken,
// added to the access and identity tokens derived from the principal. OpenIddictConstants.Destinations.IdentityToken
Claims.Name when principal.HasScope(Scopes.Profile) => new[] },
{
OpenIddictConstants.Destinations.AccessToken,
OpenIddictConstants.Destinations.IdentityToken
},
// Never add the "secret_value" claim to access or identity tokens. // Never add the "secret_value" claim to access or identity tokens.
// In this case, it will only be added to authorization codes, // In this case, it will only be added to authorization codes,
// refresh tokens and user/device codes, that are always encrypted. // refresh tokens and user/device codes, that are always encrypted.
"secret_value" => Array.Empty<string>(), "secret_value" => Array.Empty<string>(),
// Otherwise, add the claim to the access tokens only. // Otherwise, add the claim to the access tokens only.
_ => new[] _ => new[]
{ {
OpenIddictConstants.Destinations.AccessToken OpenIddictConstants.Destinations.AccessToken
} }
}); });
}
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
``` ```