即使添加到客户端，Identity Server 4 中也缺少电子邮件范围

Question

我正在将 Identity Server 4 与 Angular 客户端一起使用。

在两侧我添加相同的范围：

'openid profile offline_access email api'

但是我收到错误：

Sorry, there was an error : invalid_scope
Invalid scope

我检查了 Well-Known OpenID 配置，我看到：

"scopes_supported": [
  "openid",
  "profile",
  "api",
  "offline_access"

]

那么电子邮件范围不显示？

这可能是问题所在吗？为什么会出现这种情况？

我的 Identity Server 4 客户端定义是：

new Client {

  ClientId = "spa",
  ClientSecrets = { new Secret("secret".Sha256()) },
  AllowedGrantTypes = GrantTypes.Code,
  RequirePkce = true,
  RequireClientSecret = false,
  AllowAccessTokensViaBrowser = true,
  AllowOfflineAccess = true,

  AllowedScopes = { 
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile, 
    IdentityServerConstants.StandardScopes.Email, 
    IdentityServerConstants.StandardScopes.OfflineAccess,
    "api" 
  },  

  RedirectUris = new List<String> { 
    "https://localhost:5001",
    "https://localhost:5001/index.html",
    "https://localhost:5001/silent-refresh.html" 
  },

  PostLogoutRedirectUris = new List<String> { 
    "https://localhost:5001/" 
  },

  AllowedCorsOrigins = new List<String> { 
    "https://localhost:5001" 
  }

}

Answer 1

您需要添加一个 IdentityResource：

    public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Profile(),
            new IdentityResources.Email()
        };
    }

然后在startup.cs中添加以下内容：

var identityServerBuilder = services.AddIdentityServer(...)
.AddInMemoryIdentityResources(GetIdentityResources())