Ocelot supports claims based authorization which is run post authentication. This means if ou have a route you want to authorize you can add the following to you Route configuration.
"RouteClaimsRequirement": { "client_role": "admin" }
Add the Authorization middlware to request pipeline.
app.UseOcelot().Wait(); app.UseAuthentication(); app.UseAuthorization();
if the request access token with the claim type: 'client_role' and value is 'admin', the user will be authorized.
The access token is bellow
{ "nbf": 1696813802, "exp": 1696817402, "iss": "https://localhost:9000", "aud": [ "APIResource1", "APIResource2" ], "client_id": "clientId", "client_role": "admin", "client_nickname": "tom", "client_Emai": "[email protected]", "jti": "EB792F9B19537B4ACC28B76FD5588804", "iat": 1696813802, "scope": [ "apiscope1", "apiscope2" ] }
IdentityServer4 ClientClaim configuration
Claims = new List<ClientClaim> { new ClientClaim(IdentityModel.JwtClaimTypes.Role,"admin"), new ClientClaim(IdentityModel.JwtClaimTypes.NickName,"tom"), new ClientClaim("Emai","[email protected]") }
And why the generated claim type with the client_ prefix, it's the default value configured in IdentityServer4.Model.Client, you can change and override the default prefix or set to empty.
OK, that's all the Authorization process, so easy.
标签:NetCore,admin,ClientClaim,client,Ocelot,tom,new,Authorization From: https://www.cnblogs.com/qindy/p/17750971.html