IdentityServer4 通过 AccessToken 获取 UserClaims

实现效果：通过生成的access_token获取用户的一些信息，这样客户端请求的时候，不需要传递用户信息了。

示例配置：

public void ConfigureServices(IServiceCollection services)
{
    services.AddIdentityServer()
        .AddTemporarySigningCredential()
        .AddInMemoryIdentityResources(new List<IdentityResource>
        {
            new IdentityResources.OpenId(), //必须要添加，否则报无效的scope错误
            new IdentityResources.Profile(),
        })
        .AddInMemoryApiResources(new List<ApiResource>
        {
            new ApiResource("api1", "My API")
        })
        .AddInMemoryClients(new List<Client>
        {
            new Client
            {
                ClientId = "client",
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = 
                { 
                  "api1",
                  IdentityServerConstants.StandardScopes.OpenId, //必须要添加，否则报forbidden错误
                  IdentityServerConstants.StandardScopes.Profile
                }
            }
        });
}

Http 调用示例：

GET /connect/userinfo
Authorization: Bearer <access_token>


HTTP/1.1 200 OK
Content-Type: application/json

{
    "sub": "248289761001",
    "name": "Bob Smith",
    "given_name": "Bob",
    "family_name": "Smith",
    "role": [
        "user",
        "admin"
    ]
}

UserInfoClient调用示例：

var token = "";
var client = new DiscoveryClient(_appSettings.IssuerUri);
client.Policy.RequireHttps = false;
var disco = await client.GetAsync();
var userInfoClient = new UserInfoClient(doc.UserInfoEndpoint);

var response = await userInfoClient.GetAsync(token);
var claims = response.Claims;

参考资料：

• UserInfo Endpoint
• Resource owner flow - UserInfo Endpoint
• Accessing /connect/userinfo endpoint
• UserInfo Endpoint Forbidden - no openid scope?