问题描述
如何将用户角色添加到通过here所述的OAuth2密码授予生成的JWT中:
我尝试了this方法,但是它仅向传递给后端的JWT添加自定义声明,但JWT中没有用于验证客户端的内容。
我要做的是在成功进行身份验证时将登录页面添加到Angular应用程序中,并调用https://[APIM]/token以获取令牌。角色对于根据用户角色呈现正确的菜单很重要。
预先感谢
解决方法
您需要请求具有 openid 范围的令牌以检索附加用户信息作为 JWT 令牌的声明。您可以参考https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/了解更多详情。
例如,如果您想在生成的 JWT 中获取用户角色,您可以将 http://wso2.org/claims/role 声明作为请求声明添加到 Claim Configuration 下的您正在从 carbon 控制台使用的服务提供者.有关详细信息,请参阅 https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping。
然后在调用令牌端点时,需要添加 openid 作用域。
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>,Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
生成的 JWT 令牌负载将是这样的,
{
"sub": "admin","aut": "APPLICATION_USER","aud": "5af6EfSzqxS_dfmUnQ28sHdpZzYa","nbf": 1610395871,"azp": "5af6EfSzqxS_dfmUnQ28sHdpZzYa","scope": "openid","iss": "https://localhost:9443/oauth2/token","groups": [
"Internal/subscriber","Internal/creator","Application/admin_DefaultApplication_PRODUCTION","Application/apim_devportal","Internal/publisher","Internal/everyone","Internal/devops","Application/apim_admin_portal","admin","Internal/analytics","Application/apim_publisher"
],"exp": 1610399471,"iat": 1610395871,"jti": "75ddfca2-5088-435d-825a-3320efc10036"
}
希望这有帮助!