Comments (12)
leastprivilege
commented on May 31, 2024
They should - all roles that don't start with "IdentityServer" should go in the token.
from identityserver2.
benfoster
commented on May 31, 2024
Looks like a bug, it is actually including roles that do start with "identityServer" :)
public IEnumerable<string> GetRoles(string userName)
{
var returnedRoles = new List<string>();
if (Roles.Enabled)
{
var roles = Roles.GetRolesForUser(userName);
returnedRoles = roles.Where(role => role.StartsWith(Constants.Roles.InternalRolesPrefix)).ToList();
}
return returnedRoles;
}
from identityserver2.
leastprivilege
commented on May 31, 2024
This is the right code:
protected virtual IEnumerable GetRolesForToken(string userName)
{
var returnedRoles = new List();
if (Roles.Enabled)
{
var roles = Roles.GetRolesForUser(userName);
returnedRoles = roles.Where(role => !(role.StartsWith(Constants.Roles.InternalRolesPrefix))).ToList();
}
return returnedRoles;
}
in ProviderClaimsRepository.cs
from identityserver2.
benfoster
commented on May 31, 2024
Yes, was going to send a pull request but then you said to not bother until the beta :)
from identityserver2.
leastprivilege
commented on May 31, 2024
So I double checked the code - it is working fine here.
from identityserver2.
benfoster
commented on May 31, 2024
Perhaps it hasn't updated on GitHub? The code here is incorrect https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/src/Libraries/Thinktecture.IdentityServer.Core.Repositories/ProviderUserRepository.cs
from identityserver2.
leastprivilege
commented on May 31, 2024
And you are looking at the wrong code.
This is the right file:
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/src/Libraries/Thinktecture.IdentityServer.Core.Repositories/ProviderClaimsRepository.cs
from identityserver2.
benfoster
commented on May 31, 2024
Yes that file is correct.
However, the instance of IUserRepository injected into ClaimsTransformer for me is of type ProviderUserRepository when requesting an OAuth2 token, not ProviderClaimsRepository.
from identityserver2.
leastprivilege
commented on May 31, 2024
The OAuth controller calls into sts.TryIssueToken. This ultimately invokes the logic in TokenService.cs - and this uses the claims repository. Put some breakpoints into TokenService.cs
from identityserver2.
benfoster
commented on May 31, 2024
You're right, it does call the ProviderClaimsRepository after calling ProviderUserRepository, I just hadn't stepped in that far. Why does it call Roles.GetRolesForUser twice?
from identityserver2.
leastprivilege
commented on May 31, 2024
There are two types of roles - the ones that start with IdentityServer are for internal use (authZ in the UI) - all the others are "for tokens".
from identityserver2.
benfoster
commented on May 31, 2024
Okay, thanks for clarifying, and your patience. I'll close the issue.
from identityserver2.
Related Issues (20)
- How to redirect to a custom page on WS Federation signout in MVC app
- ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key
- Link and GitHub Pages broken
- Federation with External Identity Providers HOT 1
- Disable SSL and Mixed Mode Security
- User Roles in a Azure AD SSO Scenario
- Missing "Role" as a claim in SharePoint server
- Pass whr to Identity Provider HOT 2
- Win10 AAD sign in - unsupported GET for WS-Trust MEX
- Redirects to /account/signin HOT 1
- Could not find a base address that matches scheme http for the endpoint with binding CertificateWSTrustBinding
- IdentityServer v2 HOT 1
- Thinktecture.IdentityModel.45 is not in git
- login loop
- 'ClaimsIdentity.BootstrapContext' could not be mapped
- WIF10201: No valid key mapping found for securityToken
- "Authorization for token issuance failed because the user is anonymous" when calling service from console client.
- IdentityServer2 integration with PingFederate using WS-Federation protocol HOT 1
- Clustering IdentityServer v2 for high availability
- Disappearing Client Secret HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver2.