IdentityServer4 - (2) 资源定义

时间  2019-12-04
标签 identityserver4 identityserver 资源 定义 繁體版
原文   原文链接

Defining Resources¶【资源定义】

    The first thing you will typically define in your system are the resources that you want to protect. That could be identity information of your users, like profile data or email addresses, or access to APIs.html

在系统设计时,一般会作的第一件事就是定义要保护的资源。 这多是您的用户的身份信息,如我的资料数据或电子邮件地址,或访问API。api

Noteide

You can define resources using a C# object model - or load them from a data store. An implementation of IResourceStore deals with these low-level details. For this document we are using the in-memory implementation.【您能够把要定义的资源(硬编码)建立为C#中的对象模型,或从数据存储中加载它们(配置)。 IResourceStore实现类实现了低层的处理逻辑。 本文使用的是in-memory实现。】ui

Defining identity resources¶【身份资源定义】

    Identity resources are data like user ID, name, or email address of a user. An identity resource has a unique name, and you can assign arbitrary claim types to it. These claims will then be included in the identity token for the user. The client will use the scope parameter to request access to an identity resource.【身份资源也是数据,如用户ID,姓名或用户的电子邮件地址。 身份资源具备惟一的名称,您能够为其分配任意身份信息单元(声明类型)(好比姓名、性别、身份证号和有效期等都是身份证的身份信息单元)类型。 这些身份信息单元将会在后面被包含在用户的身份标识(Id Token)中。 客户端将使用scope参数来请求访问身份资源。】this

    The OpenID Connect specification specifies a couple of standard identity resources. The minimum requirement is, that you provide support for emitting a unique ID for your users - also called the subject id. This is done by exposing the standard identity resource called openid:【OpenID Connect规范指定了一对标准的身份资源。 最低要求是,要提供能给用户颁发惟一的ID - 也称为subject id(sid)的支持。 这是经过暴露称为openid的标准身份资源来完成的:】编码

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId()
    };
}

    The IdentityResources class supports all scopes defined in the specification (openid, email, profile, telephone, and address). If you want to support them all, you can add them to your list of supported identity resources:【IdentityResources类支持在规范中定义的全部做用域(scope)(openid,email,profile,电话和地址)。 若是您想所有支持,能够将它们添加到受支持的身份资源列表中:】spa

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Email(),
        new IdentityResources.Profile(),
        new IdentityResources.Phone(),
        new IdentityResources.Address()
    };
}

Defining custom identity resources¶【自定义身份资源定义】

    You can also define custom identity resources. Create a new IdentityResource class, give it a name and optionally a display name and description and define which user claims should be included in the identity token when this resource gets requested:【您还能够自定义身份资源。 建立一个新的IdentityResource类,为其指定一个名称(name)以及一个可选的显示名称(displayName)和描述,并定义在请求此资源时哪些用户身份单元声明类型(claimTypes)应将被包含在身份令牌(Id Token)中:】.net

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    var customProfile = new IdentityResource(
        name: "custom.profile",
        displayName: "Custom profile",
        claimTypes: new[] { "name", "email", "status" });

    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
        customProfile
    };
}

See the reference section for more information on identity resource settings.【有关身份资源设置的更多信息,请参阅参考部分。】设计

Defining API resourcesAPI资源定义

To allow clients to request access tokens for APIs, you need to define API resources, e.g.:【为了容许客户请求APIs的访问令牌,须要定义API资源,例如:】code

To get access tokens for APIs, you also need to register them as a scope. This time the scope type is of type Resource:【要获取APIs的访问权限令牌,您还须要将它们做为一种范围(scope)来注册。此次的范围类型是Resource的类型:】

public static IEnumerable<ApiResource> GetApis()
{
    return new[]
    {
        // simple API with a single scope (in this case the scope name is the same as the api name)
        new ApiResource("api1", "Some API 1"),

        // expanded version if more control is needed
        new ApiResource
        {
            Name = "api2",

            // secret for using introspection endpoint
            ApiSecrets =
            {
                new Secret("secret".Sha256())
            },

            // include the following using claims in access token (in addition to subject id)
            UserClaims = { JwtClaimTypes.Name, JwtClaimTypes.Email },

            // this API defines two scopes
            Scopes =
            {
                new Scope()
                {
                    Name = "api2.full_access",
                    DisplayName = "Full access to API 2",
                },
                new Scope
                {
                    Name = "api2.read_only",
                    DisplayName = "Read only access to API 2"
                }
            }
        }
    };
}

See the reference section for more information on API resource settings.【有关API资源设置的更多信息,请参阅参考部分。】

Note

The user claims defined by resources are loaded by the IProfileService extensibility point.【IProfileService扩展点负责加载由资源定义的用户声明。】

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程