search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.42k stars 2.39k forks source link

OpenId User roles claims #8840

Open MikeKry opened 3 years ago

MikeKry commented 3 years ago

I am trying to setup OpenId with two OC apps:

1/ OC OpenID Server app 2/ OC OpenID Client app

I managed to get this setup working, but I can't figure out how to send role claims from server app to client. I have tried to add scope "roles" but that does not help.

only claims that i get are: oc:entyp, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier, oi_au_id, oi_tkn_id, name

Is it possible? If so, I think it would be nice to extend documentation of OID, because for example, there is not even mentioned that you have to create profile and openid scopes to get it working.

Or if there is possibility that OC would handle that itself, when both are orchard apps..

edit: name and email scopes are working, if I add them in admin

hishamco commented 3 years ago

/cc @kevinchalet

MikeKry commented 3 years ago

Any idea? I can create my own claim, if its not possible by default from OC, but I would not like to create duplicate functionality.

agono commented 3 years ago

I think the issue is in this piece of code of the AccessController of OpenId module. The Claim.Role constant equals "role" but OC sets claim.Type to "http://schemas.microsoft.com/ws/2008/06/identity/claims/role". If for example add this line, you get OC roles as claims: case @"http://schemas.microsoft.com/ws/2008/06/identity/claims/role" when principal.HasScope(Scopes.Roles):


private IEnumerable<string> GetDestinations(Claim claim, ClaimsPrincipal principal)
        {
            // Note: by default, claims are NOT automatically included in the access and identity tokens.
            // To allow OpenIddict to serialize them, you must attach them a destination, that specifies
            // whether they should be included in access tokens, in identity tokens or in both.

            switch (claim.Type)
            {
                // Never include the security stamp in the access and identity tokens, as it's a secret value.
                case "AspNet.Identity.SecurityStamp":
                    break;

                // Only add the claim to the id_token if the corresponding scope was granted.
                // The other claims will only be added to the access_token.
                case OpenIdConstants.Claims.EntityType:
                case Claims.Name when principal.HasScope(Scopes.Profile):
                case Claims.Email when principal.HasScope(Scopes.Email):
                case Claims.Role when principal.HasScope(Scopes.Roles):               
                    yield return Destinations.AccessToken;
                    yield return Destinations.IdentityToken;
                    break;

                default:
                    yield return Destinations.AccessToken;
                    break;
            }
        }
MikeKry commented 3 years ago

@agono I tried that if it would help, but when switch actually gets to role claim, it has empty scopes in principal (used just simple throw, I did not debug it..):

image

there are no scopes: image

anyway, if i would do this: image

roles do work: image

Also "principal.HasScope(Scopes.Roles)" returns true, when checking e.g. Claims.Name, but returns false when checking Claims.Role or "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

maybe cc @deanmarcussen ?

vitalybrandes commented 1 year ago

I am in the same problem, @MikeKry did you find any solution?