Closed qq1176914912 closed 7 months ago
How to Assign Roles to a User ?
When a role is added to a client, a new scope named <client_id>\<role_name>
is added and assigned to the client.
Once the role is defined, you can create a group and assign roles to it. Follow these instructions:
Add group
button, fill in the form, and click on the Submit
button.Roles
tab.Add Role
button, select your role, and click on the Save button.Now, there is a group configured with one role; you can assign it to the User.
Users
screen, select the User and navigate to the Groups
tab.Assign groups
button and assign one or more groups.Claims
tab, click on the Resolve roles
checkbox, and check if the roles are displayed in the table.How to Add Custom Claims to the id_token ?
In SimpleIdServer, you can define an Identity Scope
with one or more Mapping Rules
.
These rules are used to retrieve user information and convert it into a list of claims that will be included in the Identity Token.
To return your custom testclaims
into the Identity Token, you must create a SCOPE with one mapping rule:
Scopes
screen, click on the Add scope
button.Identity Value
and click on next.Parameter | Value |
---|---|
name | test |
description | test |
protocol | openid |
Is Exposed | false |
Mappers
tab, and click on the Add mapper
button.Attribute
and click on next.Parameter | Value |
---|---|
name | test |
token claim name | test |
claim json type | string |
user attribute | testclaims |
Now the scope is configured; you can pass it into the authorization request. The value of thetestclaims
claim will be passed into the identity token.
How to Assign Roles to a User ?
When a role is added to a client, a new scope named
<client_id>\<role_name>
is added and assigned to the client.Once the role is defined, you can create a group and assign roles to it. Follow these instructions:
- On the Groups screen, click on the
Add group
button, fill in the form, and click on theSubmit
button.- Click on the new group and navigate to the
Roles
tab.- Click on the
Add Role
button, select your role, and click on the Save button.Now, there is a group configured with one role; you can assign it to the User.
- On the
Users
screen, select the User and navigate to theGroups
tab.- Click on the
Assign groups
button and assign one or more groups.- Navigate to the
Claims
tab, click on theResolve roles
checkbox, and check if the roles are displayed in the table.How to Add Custom Claims to the id_token ?
In SimpleIdServer, you can define an
Identity Scope
with one or moreMapping Rules
. These rules are used to retrieve user information and convert it into a list of claims that will be included in the Identity Token.To return your custom
testclaims
into the Identity Token, you must create a SCOPE with one mapping rule:
- On the
Scopes
screen, click on theAdd scope
button.- Select
Identity Value
and click on next.- Fill in the form like this and click on the Save button to confirm the creation.
Parameter Value name test description test protocol openid Is Exposed false
- Navigate to the new scope, click on the
Mappers
tab, and click on theAdd mapper
button.- Select
Attribute
and click on next.- Fill in the form like this and click on the Save button to confirm the creation.
Parameter Value name test token claim name test claim json type string user attribute testclaims Now the scope is configured; you can pass it into the authorization request. The value of the
testclaims
claim will be passed into the identity token.
This is the expected behavior as per the OPENID RFC. When the authorization code grant type is used, the id_token does not contain the user's claims.
Instead, the website utilizes the access token to retrieve the user's claims from the userinfo
API.
Could you please verify on your website whether the claims are present in the User.Claims
property?
I have created a bug ticket, #633, to address the issue of "unknown scopes address`.
@qq1176914912 : The issue #633 (unknown scopes address
) is fixed in the master
branch.
This is the expected behavior as per the OPENID RFC. When the authorization code grant type is used, the id_token does not contain the user's claims. Instead, the website utilizes the access token to retrieve the user's claims from the
userinfo
API.Could you please verify on your website whether the claims are present in the
User.Claims
property?I have created a bug ticket, #633, to address the issue of "unknown scopes address`.
I have roughly understood that if I want to obtain a user role and perform access control as shown in the following figure, I need to manually call the userinfo API before authorization, obtain the user role, and then manually add the role to the claims
I have successfully implemented the functionality I need, and I customized a method before authorizing the API project:
In this method, call userinfo to query the role, and then add the role to the claims
Declaration of authorization for roles on API interface, successful testing
This is a way I came up with, I'm not sure if there are any other ways
There is another question, what is the session in the user, and I see that they can reject it. What is the specific rejection function? If the user is already logged in and I reject it from here, the user will not redirect to the login page, so I want to know what can be done here
@qq1176914912
Custom Middleware
There is no need to implement custom middleware to retrieve claims from the userinfo endpoint, as this functionality is already implemented by Microsost.AspNetCore.Authentication.OpenIdConnect
.
If the property GetClaimsFromUserInfoEndpoint
is set to true, the OpenIdConnectHandler
class retrieves the claims from the userinfo endpoint: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L795
Session
The concept of a user's session has been introduced by the RFC OpenID Connect Session Management (1.0)
(https://openid.net/specs/openid-connect-session-1_0.html).
In short, when the web application is configured to use RP Initiated Logout
, and the session is rejected, the end-user will automatically be disconnected from the Client/Web Application and the Identity Server.
You can follow this tutorial to implement a SPA application with session checks enabled; the source code can be found here: https://github.com/simpleidserver/SimpleIdServer/blob/master/samples/ProjectSPA/src/Website/
@qq1176914912
Custom Middleware
There is no need to implement custom middleware to retrieve claims from the userinfo endpoint, as this functionality is already implemented by
Microsost.AspNetCore.Authentication.OpenIdConnect
. If the propertyGetClaimsFromUserInfoEndpoint
is set to true, theOpenIdConnectHandler
class retrieves the claims from the userinfo endpoint: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L795Session
The concept of a user's session has been introduced by the RFC
OpenID Connect Session Management (1.0)
(https://openid.net/specs/openid-connect-session-1_0.html).In short, when the web application is configured to use
RP Initiated Logout
, and the session is rejected, the end-user will automatically be disconnected from the Client/Web Application and the Identity Server.You can follow this tutorial to implement a SPA application with session checks enabled; the source code can be found here: https://github.com/simpleidserver/SimpleIdServer/blob/master/samples/ProjectSPA/src/Website/
Custom Middleware
Yes, what you said is correct. I checked your source code in the "SimpleIdServer. OpenIdConnect" project and found this judgment:
But I found that it only references it in your 'SimpleIdServer. IdServer. Startup' project
Your method only determines this property when I log in to your 'SimpleIdServer. IdServer. Website. Startup' project, but when I log in to my custom client (using only the IdServer project), it does not determine this property, which results in even if I configure 'Options' on my client GetClaimsFromUserInfoEndpoint=true ', I am also unable to obtain this role.
I referred to this project: https://github.com/IdentityServer/IdentityServer4/tree/4dc10e665f5ede63274427036c25cdc216130eb9/samples/Quickstarts/5_EntityFramework
I found that he referenced a class library name similar to yours in the 'IdentityServer' project:
So I would like to know if your 'SimpleIdServer. OpenIdConnect' class library can be placed in the 'SimpleIdServer. IdServer. Startup' project. If you don't plan to do this, So I can follow your example and add a custom method on IDS. Before generating the token, I need to query the userinfo and add the role to the claims. This ensures that the generated token contains the role
Session
I found in your 'Website' project that 'Backchannel Logout URL' can be configured for clients. Based on my understanding, this is what you call RP Logout,
If that's the case, I added an interface for exiting in the client
When I successfully logged in to my client and logged in to your 5001 (also known as the ids project) again, I logged out this user on the ids project. However, my client's interface did not receive any content, meaning that the Backchannel Logout URL configured for your project did not take effect. Just in case, I also configured the Backchannel Logout URL in the ids4 example project. When I logged out this user on his ids, My client interface successfully received the content, so I'm not sure if there is a problem with your project here.
Thanks for your hard work..I have discovered a problem.When I set BackChannelLogoutUri in the client
When I use my client to exit, clicking on 'Revoke session' will result in an error:
I also configured BackChannelLogoutUri on my IDS4 sample project, but I did not encounter this issue when I exited, so I think this issue lies in the logic of the 'Revoke session'
Role:
By default, when using the Microsoft.AspNetCore.Authentication.OpenIdConnect
NuGet Package, the role
claim is not returned.
To retrieve this claim from the userinfo endpoint, add the following code:
.AddOpenIdConnect("sid", options =>
{
...
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("role");
options.ClaimActions.MapJsonKey("role", "role");
...
});
Session:
You received this exception because the TokenSignedResponseAlg
parameter is not configured in your client.
I made some changes in the master branch to provide the ability to update this parameter in the UI.
To do so:
Clients
screenAdvanced
tab.token signature algorithm
to RS256
and click on Update
.This parameter is necessary to build and sign the Logout Token
.
The sample project https://github.com/simpleidserver/SimpleIdServer/tree/master/samples/ProtectWebsiteServerside
has been updated to support Logout functionality and also to retrieve the role
claim from the userinfo endpoint.
Feel free to explore this project! :)
Role:
By default, when using the
Microsoft.AspNetCore.Authentication.OpenIdConnect
NuGet Package, therole
claim is not returned. To retrieve this claim from the userinfo endpoint, add the following code:.AddOpenIdConnect("sid", options => { ... options.GetClaimsFromUserInfoEndpoint = true; options.Scope.Add("role"); options.ClaimActions.MapJsonKey("role", "role"); ... });
Session:
You received this exception because the
TokenSignedResponseAlg
parameter is not configured in your client. I made some changes in the master branch to provide the ability to update this parameter in the UI. To do so:
- Navigate to the
Clients
screen- Select your client and go to the
Advanced
tab.- Set the
token signature algorithm
toRS256
and click onUpdate
.This parameter is necessary to build and sign the
Logout Token
.The sample project https://github.com/simpleidserver/SimpleIdServer/tree/master/samples/ProtectWebsiteServerside has been updated to support Logout functionality and also to retrieve the
role
claim from the userinfo endpoint.Feel free to explore this project! :)
Firstly, thank you for your feedback; it is very valuable for us to enhance our product :)
The implementation is currently missing, and I am actively working on it in the Ticket624
branch
Firstly, thank you for your feedback; it is very valuable for us to enhance our product :)
The implementation is currently missing, and I am actively working on it in the
Ticket624
branch
So, regarding the issue of 'Backchannel Logout URL' not working, is it also not implemented on your end?
The BackChannel Logout URL
has already been implemented in SimpleIdServer.
However, I noticed two issues:
Once the changes are merged into the master branch, I will send you a sample project.
Currently, SimpleIdServer only supports access tokens in JWT format. Other formats, such as Reference, are not yet supported because they are not standard attributes in OAuth 2.0. I have created a new ticket, #640, to address the support for the Reference format.
By default, when using the
Microsoft.AspNetCore.Authentication.OpenIdConnect
NuGet Package, therole
claim is not returned. To retrieve this claim from the userinfo endpoint, add the following code:
Role:
Following your method, I successfully displayed the role on the client front-end:
But the problem is that whether it is the accesstoken or the idtoken, the role is still not included. What I need is to make the accesstoken include the role.
The
BackChannel Logout URL
has already been implemented in SimpleIdServer.However, I noticed two issues:
- When the session is rejected from the Administration Website, the logic used to end the session is not executed. Nonetheless, this logic has already been implemented and can be found here: https://github.com/simpleidserver/SimpleIdServer/blob/0b66bb4cd54190608eadb5c7673f0c0f5ee928d7/src/IdServer/SimpleIdServer.IdServer/UI/CheckSessionController.cs#L92 .
- When the session is rejected, only the first client using the session is notified, and not all clients.
Once the changes are merged into the master branch, I will send you a sample project.
Currently, SimpleIdServer only supports access tokens in JWT format. Other formats, such as Reference, are not yet supported because they are not standard attributes in OAuth 2.0. I have created a new ticket, #640, to address the support for the Reference format.
The problem is not just with session rejection here, you can try it out. Normally, if the 'Backchannel Logout URL' is configured, if you log in to the client in the same browser and access ids (5001) in the same browser, and exit the account on ids, It should also trigger a request to this address (I referred to Identity Server 4 and configured the Backchannel Logout URL using its ids and tested it), but in actual use, your project did not trigger it.
@Role :
According to the OPENID specification, it is normal for the id_token
not to contain the requested claims.
Claims are returned in the id_token
when the response_type is equal to id_token
.
Test Plan : https://www.certification.openid.net/log-detail.html?log=4wDrNyZLDgxFUKg&public=true
URL : https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
When a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.
At the moment, roles are only returned in the id_token
because there is no requirement from the OPENID standard to return them into the access token.
However, I can understand this requirement, and I have created a new ticket #641 to add the mapping into the API Resource
.
@Session :
It is working on my local machine; can you please follow these steps:
web application
and click on next.Save
button to confirm the creation.Parameter | Value |
---|---|
Identifier | protectedServersideApp |
Secret | password |
Name | protectedServersideApp |
Redirection URLs | http://localhost:7000/signin-oidc |
Parameter | Value |
---|---|
Back Channel Logout session required | Checked |
Backchannel logout url | http://localhost:7000/BackChannelLogout/Logout |
Validation post logout redirect URIs | http://localhost:7000/signout-callback-oidc |
role
scope.samples\ProtectWebsiteServerside\src\Website\
and run it.http://localhost:7000/claims
and authenticate with your credentials.Logout
button and click on Revoke
button. The endpoint http://localhost:7000/BackChannelLogout/Logout will be called by SimpleIdServer.I also tested with the sample project from Duende
(successor of IdServer), and it is working : https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement/BackChannelClient
@ROLE :
According to the OPENID specification, it is normal for the
id_token
not to contain the requested claims. Claims are returned in theid_token
when the response_type is equal toid_token
.Test Plan : https://www.certification.openid.net/log-detail.html?log=4wDrNyZLDgxFUKg&public=true
URL : https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
When a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.
At the moment, roles are only returned in the
id_token
because there is no requirement from the OPENID standard to return them into the access token. However, I can understand this requirement, and I have created a new ticket #641 to add the mapping into theAPI Resource
.@Session :
It is working on my local machine; can you please follow these steps:
- Get the latest changes in the master branch.
- Run the administration website and add a new client.
- On the Clients, screen, click on the Add client button.
- Select
web application
and click on next.- Fill-in the form link this and click on the
Save
button to confirm the creation.Parameter Value Identifier protectedServersideApp Secret password Name protectedServersideApp Redirection URLs http://localhost:7000/signin-oidc
- Navigate to the new client and update the following properties :
Parameter Value Back Channel Logout session required Checked Backchannel logout url http://localhost:7000/BackChannelLogout/Logout Validation post logout redirect URIs http://localhost:7000/signout-callback-oidc
- Assign the
role
scope.- Navigate to the sample project
samples\ProtectWebsiteServerside\src\Website\
and run it.- Browse the URL
http://localhost:7000/claims
and authenticate with your credentials.- Click on the
Logout
button and click onRevoke
button. The endpoint http://localhost:7000/BackChannelLogout/Logout will be called by SimpleIdServer.I also tested with the sample project from
Duende
(successor of IdServer), and it is working : https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement/BackChannelClient
ROLE : Yes, I need the accesstoken to be able to carry a role, because the client accesses the API with the accesstoken (jwt). It seems that I can only use the custom middleware mentioned earlier to add a role to the claims through userinfo. You can try the project you mentioned“ https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement/BackChannelClient ”He only needs to do the following to add a role in the accesstoken:
Session: You are right. Currently, your program exits from the client and clicking 'Revoke' can trigger the set Backchannel Logout URL normally, but you have not attempted this operation:
Log in to the client in the browser
After the client login is completed, open a new page in the current browser to access the 5001/master page
Exit the current user on 5001/master
In this situation, you will not trigger the 'Backchannel Logout URL'
You can try what you said‘ https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement/BackChannelClient ’The project can still trigger the 'Backchannel Logout URL' when exiting the user on 5001, rather than having to click on 'Logout' on the client to trigger it.
My apologies, the session was not ending when the end-user clicked on the 'Logout' button on the IdServer website (https://localhost:5001/master). This issue has now been resolved in the 'master' branch.
Additionally, I have created tickets for the following issues:
You can track their progress on the project board: https://github.com/users/simpleidserver/projects/6/views/1
My apologies, the session was not ending when the end-user clicked on the 'Logout' button on the IdServer website (https://localhost:5001/master). This issue has now been resolved in the 'master' branch.
Additionally, I have created tickets for the following issues:
- Ticket IdServer - Add custom claim in Api Resource (Role / SessionId) #641: Add role to access token.
- Ticket IdServer - Supports AccessTokenType (JWT or Reference) #640: Support access token with reference format.
You can track their progress on the project board: https://github.com/users/simpleidserver/projects/6/views/1
Thank you very much for your patient answer during this period.
Sorry to bother you, I need to consult with some questions.
So what do I need to do to get the roles or groups?