英文:

add custom claims to external oAuth provder

问题

Currently, we are using an external OAuth provider for authentication, and it's an SSO, so the user can log in to our portal and other portals within the organization with the same token. The problem is our portal has some specific claims like userId, etc. (specific to our application), and we want this info to be in the token as well. Our OAuth provider is not allowing this. Are there any other clean ways to solve this issue?

Some solutions are:

• On the API side, we can check the "sub" (subject) and map it to our own IDs by reading the database every time a request comes into our endpoints.
• Cache the token and retrieve the values.

Caching is not a good idea, and reading from the database every time is also not a good idea. Any suggestions on how to solve this issue?

英文:

Currently we are using an external oAuth provider for authentication and its a SSO so the user can login to our posrtal and other posrtal within the organization with same token. The problem is our posrtal has some specific claims like userId,etc (specific to our application). and we want these info to be in the token as well our oAuth prover is not allowing. Are there any other clean ways to solve this issue?

some solutions are

• API side we can check the sub and map to our own ID's by reading DB everytime a request comes into our endpoins
• cache the token and get the values

caceh is not a good idea and reading from DB everytime is also not a good idea. Any suggestions how to solve this issue?

答案1

得分: 1

An authorization server should be able to look up custom claims at the time of token issuance, eg by calling an API endpoint that you provide. If you can't do this I would question your choice of authorization server.

一个授权服务器应该能够在令牌发放时查找自定义声明，例如通过调用您提供的API端点。如果无法实现这一点，我会质疑您选择的授权服务器。

An alternative is to validate the JWT, read its claims, then look up extra claims before producing the ClaimsPrincipal, then cache the extra claims. This is a less secure design though, so only use it when you have to. For an example, see this code of mine.

另一种方法是在验证JWT、读取其声明后，在生成ClaimsPrincipal之前查找额外的声明，然后缓存这些额外的声明。不过，这种设计较不安全，因此只在必要时使用。示例代码，请参阅我的此代码。

英文:

An authorization server should be able to look up custom claims at the time of token issuance, eg by calling an API endpoint that you provide. If you can't do this I would question your choice of authorization server.

An alternative is to validate the JWT, read its claims, then look up extra claims before producing the ClaimsPrincipal, then cache the extra claims. This is a less secure design though, so only use it when you have to. For an example, see this code of mine.