IdentityServer4 - (2) 資源定義

時間  2019-12-04
標籤 identityserver4 identityserver 資源 定義 简体版
原文   原文鏈接

Defining Resources¶【資源定義】

    The first thing you will typically define in your system are the resources that you want to protect. That could be identity information of your users, like profile data or email addresses, or access to APIs.html

在系統設計時,一般會作的第一件事就是定義要保護的資源。 這多是您的用戶的身份信息,如我的資料數據或電子郵件地址,或訪問API。api

Noteide

You can define resources using a C# object model - or load them from a data store. An implementation of IResourceStore deals with these low-level details. For this document we are using the in-memory implementation.【您能夠把要定義的資源(硬編碼)建立爲C#中的對象模型,或從數據存儲中加載它們(配置)。 IResourceStore實現類實現了低層的處理邏輯。 本文使用的是in-memory實現。】ui

Defining identity resources¶【身份資源定義】

    Identity resources are data like user ID, name, or email address of a user. An identity resource has a unique name, and you can assign arbitrary claim types to it. These claims will then be included in the identity token for the user. The client will use the scope parameter to request access to an identity resource.【身份資源也是數據,如用戶ID,姓名或用戶的電子郵件地址。 身份資源具備惟一的名稱,您能夠爲其分配任意身份信息單元(聲明類型)(好比姓名、性別、身份證號和有效期等都是身份證的身份信息單元)類型。 這些身份信息單元將會在後面被包含在用戶的身份標識(Id Token)中。 客戶端將使用scope參數來請求訪問身份資源。】this

    The OpenID Connect specification specifies a couple of standard identity resources. The minimum requirement is, that you provide support for emitting a unique ID for your users - also called the subject id. This is done by exposing the standard identity resource called openid:【OpenID Connect規範指定了一對標準的身份資源。 最低要求是,要提供能給用戶頒發惟一的ID - 也稱爲subject id(sid)的支持。 這是經過暴露稱爲openid的標準身份資源來完成的:】編碼

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId()
    };
}

    The IdentityResources class supports all scopes defined in the specification (openid, email, profile, telephone, and address). If you want to support them all, you can add them to your list of supported identity resources:【IdentityResources類支持在規範中定義的全部做用域(scope)(openid,email,profile,電話和地址)。 若是您想所有支持,能夠將它們添加到受支持的身份資源列表中:】spa

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Email(),
        new IdentityResources.Profile(),
        new IdentityResources.Phone(),
        new IdentityResources.Address()
    };
}

Defining custom identity resources¶【自定義身份資源定義】

    You can also define custom identity resources. Create a new IdentityResource class, give it a name and optionally a display name and description and define which user claims should be included in the identity token when this resource gets requested:【您還能夠自定義身份資源。 建立一個新的IdentityResource類,爲其指定一個名稱(name)以及一個可選的顯示名稱(displayName)和描述,並定義在請求此資源時哪些用戶身份單元聲明類型(claimTypes)應將被包含在身份令牌(Id Token)中:】.net

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    var customProfile = new IdentityResource(
        name: "custom.profile",
        displayName: "Custom profile",
        claimTypes: new[] { "name", "email", "status" });

    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
        customProfile
    };
}

See the reference section for more information on identity resource settings.【有關身份資源設置的更多信息,請參閱參考部分。】設計

Defining API resourcesAPI資源定義

To allow clients to request access tokens for APIs, you need to define API resources, e.g.:【爲了容許客戶請求APIs的訪問令牌,須要定義API資源,例如:】code

To get access tokens for APIs, you also need to register them as a scope. This time the scope type is of type Resource:【要獲取APIs的訪問權限令牌,您還須要將它們做爲一種範圍(scope)來註冊。此次的範圍類型是Resource的類型:】

public static IEnumerable<ApiResource> GetApis()
{
    return new[]
    {
        // simple API with a single scope (in this case the scope name is the same as the api name)
        new ApiResource("api1", "Some API 1"),

        // expanded version if more control is needed
        new ApiResource
        {
            Name = "api2",

            // secret for using introspection endpoint
            ApiSecrets =
            {
                new Secret("secret".Sha256())
            },

            // include the following using claims in access token (in addition to subject id)
            UserClaims = { JwtClaimTypes.Name, JwtClaimTypes.Email },

            // this API defines two scopes
            Scopes =
            {
                new Scope()
                {
                    Name = "api2.full_access",
                    DisplayName = "Full access to API 2",
                },
                new Scope
                {
                    Name = "api2.read_only",
                    DisplayName = "Read only access to API 2"
                }
            }
        }
    };
}

See the reference section for more information on API resource settings.【有關API資源設置的更多信息,請參閱參考部分。】

Note

The user claims defined by resources are loaded by the IProfileService extensibility point.【IProfileService擴展點負責加載由資源定義的用戶聲明。】

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程