mirror of
https://gitee.com/dcren/openiddict-documentation.git
synced 2025-04-05 17:38:03 +08:00
164 lines
7.9 KiB
HTML
164 lines
7.9 KiB
HTML
<!DOCTYPE html>
|
|
<!--[if IE]><![endif]-->
|
|
<html>
|
|
|
|
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|
|
<title>Claim destinations </title>
|
|
<meta name="viewport" content="width=device-width">
|
|
<meta name="title" content="Claim destinations ">
|
|
<meta name="generator" content="docfx 2.56.7.0">
|
|
|
|
<link rel="shortcut icon" href="../images/favicon.ico">
|
|
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet">
|
|
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/night-owl.min.css">
|
|
<link rel="stylesheet" href="../styles/colors.css">
|
|
<link rel="stylesheet" href="../styles/discord.css">
|
|
<link rel="stylesheet" href="../styles/main.css">
|
|
<meta property="docfx:navrel" content="../toc.html">
|
|
<meta property="docfx:tocrel" content="toc.html">
|
|
|
|
|
|
|
|
</head>
|
|
|
|
<body>
|
|
<div class="top-navbar">
|
|
|
|
<a href="javascript:void(0);" class="burger-icon" onclick="toggleMenu()">
|
|
<svg name="Hamburger" style="vertical-align: middle;" width="24" height="24" viewbox="0 0 24 24"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M20 6H4V9H20V6ZM4 10.999H20V13.999H4V10.999ZM4 15.999H20V18.999H4V15.999Z"></path></svg>
|
|
</a>
|
|
|
|
|
|
<a class="brand" href="../index.html">
|
|
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
|
|
<span class="brand-title">OpenIddict</span>
|
|
</a>
|
|
</div>
|
|
|
|
<div class="body-content">
|
|
|
|
<div id="blackout" class="blackout" onclick="toggleMenu()"></div>
|
|
|
|
<nav id="sidebar" role="navigation">
|
|
|
|
<div class="sidebar">
|
|
|
|
|
|
|
|
|
|
<div>
|
|
|
|
<a class="brand" href="../index.html">
|
|
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
|
|
<span class="brand-title">OpenIddict</span>
|
|
</a>
|
|
<div id="navbar">
|
|
|
|
</div>
|
|
|
|
</div>
|
|
|
|
|
|
<div class="sidebar-item-separator"></div>
|
|
|
|
|
|
<div id="sidetoggle">
|
|
<div id="sidetoc"></div>
|
|
</div>
|
|
|
|
</div>
|
|
|
|
<div class="footer">
|
|
|
|
<span>Generated by <strong>DocFX</strong></span>
|
|
</div>
|
|
</nav>
|
|
|
|
<main class="main-panel">
|
|
|
|
<div role="main" class="hide-when-search">
|
|
|
|
|
|
<div class="subnav navbar navbar-default">
|
|
<div class="container hide-when-search" id="breadcrumb">
|
|
<ul class="breadcrumb">
|
|
<li></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
|
|
<article class="content wrap" id="_content" data-uid="">
|
|
<h1 id="claim-destinations">Claim destinations</h1>
|
|
|
|
<p><strong>When generating authorization codes, refresh tokens and device/user codes</strong> from the <code>ClaimsPrincipal</code> specified during a sign-in operation,
|
|
<strong>OpenIddict automatically copies all the claims to the resulting codes/tokens</strong>. This is a safe operation because these tokens are always encrypted
|
|
and can't be read by anyone but OpenIddict itself (the user or the client application that requested them cannot read their content).</p>
|
|
<p><strong>For access and identity tokens, things work differently</strong>, as these tokens are meant to be read by different parties:</p>
|
|
<ul>
|
|
<li>Client applications have a total access to the claims contained in the identity tokens they receive.</li>
|
|
<li>Resource servers are expected to be able to read the claims contained in the access tokens used in API calls.</li>
|
|
<li>With desktop, mobile or browser-based applications, it's generally not hard for users to access identity tokens
|
|
(e.g by intercepting the HTTP response using Fiddler, by using developer tools or by dumping the memory of the client process).</li>
|
|
<li>If access token encryption was explicitly disabled, it's possible for the client applications or the users themselves
|
|
to access the content of access tokens (e.g by copying the token payload and using a tool like <a href="https://jwt.io/">https://jwt.io/</a>).</li>
|
|
</ul>
|
|
<p>For these reasons, <strong>OpenIddict doesn't automatically copy the claims attached to a <code>ClaimsPrincipal</code> to access or identity tokens</strong>
|
|
(except the <code>sub</code> claim, which is the only mandatory claim in OpenIddict). To allow OpenIddict to persist specific claims
|
|
to an access or identity token, a flag known as "claim destination" must be added to each <code>Claim</code> instance you want to expose.</p>
|
|
<div class="NOTE"><h5>Note</h5><p>To attach one or multiple destinations to a claim, use the <code>principal.SetDestinations()</code> extension defined in <code>OpenIddict.Abstractions</code>.
|
|
In the typical case, granted scopes can be used to determine what claims are allowed to be copied to access and identity tokens, as in this example:</p>
|
|
</div>
|
|
<pre><code class="lang-csharp">var principal = await _signInManager.CreateUserPrincipalAsync(user);
|
|
|
|
// Note: in this sample, the granted scopes match the requested scope
|
|
// but you may want to allow the user to uncheck specific scopes.
|
|
// For that, simply restrict the list of scopes before calling SetScopes().
|
|
principal.SetScopes(request.GetScopes());
|
|
principal.SetResources(await _scopeManager.ListResourcesAsync(principal.GetScopes()).ToListAsync());
|
|
principal.SetDestinations(static claim => claim.Type switch
|
|
{
|
|
// If the "profile" scope was granted, allow the "name" claim to be
|
|
// added to the access and identity tokens derived from the principal.
|
|
Claims.Name when claim.Subject.HasScope(Scopes.Profile) => new[]
|
|
{
|
|
OpenIddictConstants.Destinations.AccessToken,
|
|
OpenIddictConstants.Destinations.IdentityToken
|
|
},
|
|
|
|
// Never add the "secret_value" claim to access or identity tokens.
|
|
// In this case, it will only be added to authorization codes,
|
|
// refresh tokens and user/device codes, that are always encrypted.
|
|
"secret_value" => Array.Empty<string>(),
|
|
|
|
// Otherwise, add the claim to the access tokens only.
|
|
_ => new[]
|
|
{
|
|
OpenIddictConstants.Destinations.AccessToken
|
|
}
|
|
});
|
|
|
|
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
|
|
</code></pre></article>
|
|
|
|
</div>
|
|
</main>
|
|
</div>
|
|
|
|
|
|
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
|
|
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
|
|
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js" integrity="sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI" crossorigin="anonymous"></script>
|
|
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js"></script>
|
|
<script type="text/javascript" src="../styles/jquery.twbsPagination.js"></script>
|
|
<script type="text/javascript" src="../styles/url.min.js"></script>
|
|
<script src="https://cdn.jsdelivr.net/npm/anchor-js/anchor.min.js"></script>
|
|
<script type="text/javascript" src="../styles/docfx.js"></script>
|
|
<script type="text/javascript" src="../styles/main.js"></script>
|
|
|
|
</body>
|
|
|
|
</html>
|