lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-07-15 23:13:34 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
a9643a903c
openiddict-documentation/configuration/application-permissions.html
OpenIddict Bot a9643a903c Update the documentation pages
2022-01-07 17:58:08 +00:00

405 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--[if IE]><![endif]-->
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Application permissions </title>
<meta name="viewport" content="width=device-width">
<meta name="title" content="Application permissions ">
<meta name="generator" content="docfx 2.56.7.0">
<link rel="shortcut icon" href="../images/favicon.ico">
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/styles/night-owl.min.css">
<link rel="stylesheet" href="../styles/colors.css">
<link rel="stylesheet" href="../styles/discord.css">
<link rel="stylesheet" href="../styles/main.css">
<meta property="docfx:navrel" content="../toc.html">
<meta property="docfx:tocrel" content="toc.html">
</head>
<body>
<div class="top-navbar">
<a href="javascript:void(0);" class="burger-icon" onclick="toggleMenu()">
<svg name="Hamburger" style="vertical-align: middle;" width="24" height="24" viewbox="0 0 24 24"><path fill="currentColor" fill-rule="evenodd" clip-rule="evenodd" d="M20 6H4V9H20V6ZM4 10.999H20V13.999H4V10.999ZM4 15.999H20V18.999H4V15.999Z"></path></svg>
</a>
<a class="brand" href="../index.html">
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
<span class="brand-title">OpenIddict</span>
</a>
</div>
<div class="body-content">
<div id="blackout" class="blackout" onclick="toggleMenu()"></div>
<nav id="sidebar" role="navigation">
<div class="sidebar">
<div>
<a class="brand" href="../index.html">
<img src="../images/logo.png" alt="OpenIddict" class="logomark">
<span class="brand-title">OpenIddict</span>
</a>
<div id="navbar">
</div>
</div>
<div class="sidebar-item-separator"></div>
<div id="sidetoggle">
<div id="sidetoc"></div>
</div>
</div>
<div class="footer">
<span>Generated by <strong>DocFX</strong></span>
</div>
</nav>
<main class="main-panel">
<div role="main" class="hide-when-search">
<div class="subnav navbar navbar-default">
<div class="container hide-when-search" id="breadcrumb">
<ul class="breadcrumb">
<li></li>
</ul>
</div>
</div>
<article class="content wrap" id="_content" data-uid="">
<h1 id="application-permissions">Application permissions</h1>
<p>OpenIddict includes a built-in feature codenamed &quot;application permissions&quot; that
<strong>allows controlling and limiting the OAuth 2.0/OpenID Connect features each registered client application is able to use</strong>.</p>
<p>4 categories of permissions are currently supported:</p>
<ul>
<li>Endpoint permissions.</li>
<li>Grant type permissions.</li>
<li>Scope permissions.</li>
<li>Response type permissions (<em>introduced in OpenIddict 3.0</em>).</li>
</ul>
<h2 id="endpoint-permissions">Endpoint permissions</h2>
<h3 id="definition">Definition</h3>
<p>Endpoint permissions limit the endpoints a client application can use.</p>
<h3 id="supported-permissions">Supported permissions</h3>
<table>
<thead>
<tr>
<th style="text-align:center">Endpoint</th>
<th style="text-align:center">Constant</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:center">Authorization</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Endpoints.Authorization</code></td>
</tr>
<tr>
<td style="text-align:center">Introspection</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Endpoints.Introspection</code></td>
</tr>
<tr>
<td style="text-align:center">Logout/end session</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Endpoints.Logout</code></td>
</tr>
<tr>
<td style="text-align:center">Revocation</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Endpoints.Revocation</code></td>
</tr>
<tr>
<td style="text-align:center">Token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Endpoints.Token</code></td>
</tr>
</tbody>
</table>
<h3 id="example">Example</h3>
<p>In the following example, the <code>mvc</code> application is allowed to use the authorization, logout and
token endpoints but will get an error when trying to send an introspection or revocation request:</p>
<pre><code class="lang-csharp">if (await manager.FindByClientIdAsync(&quot;mvc&quot;) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = &quot;mvc&quot;,
ClientSecret = &quot;901564A5-E7FE-42CB-B10D-61EF6A8F3654&quot;,
DisplayName = &quot;MVC client application&quot;,
PostLogoutRedirectUris = { new Uri(&quot;http://localhost:53507/signout-callback-oidc&quot;) },
RedirectUris = { new Uri(&quot;http://localhost:53507/signin-oidc&quot;) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token
}
});
}
</code></pre><h3 id="disabling-endpoint-permissions">Disabling endpoint permissions</h3>
<p>If you don&#39;t want to use endpoint permissions, call <code>options.IgnoreEndpointPermissions()</code> to ignore them:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.IgnoreEndpointPermissions();
});
</code></pre><h2 id="grant-type-permissions">Grant type permissions</h2>
<h3 id="definition-1">Definition</h3>
<p>Grant type permissions limit the grant types a client application is allowed to use.</p>
<h3 id="supported-permissions-1">Supported permissions</h3>
<table>
<thead>
<tr>
<th style="text-align:center">Grant type</th>
<th style="text-align:center">Constant</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:center">Authorization code</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode</code></td>
</tr>
<tr>
<td style="text-align:center">Client credentials</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.GrantTypes.ClientCredentials</code></td>
</tr>
<tr>
<td style="text-align:center">Implicit</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.GrantTypes.Implicit</code></td>
</tr>
<tr>
<td style="text-align:center">Password</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.GrantTypes.Password</code></td>
</tr>
<tr>
<td style="text-align:center">Refresh token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.GrantTypes.RefreshToken</code></td>
</tr>
</tbody>
</table>
<p>To add a custom grant type permission, you can use the following pattern:</p>
<pre><code class="lang-csharp">OpenIddictConstants.Permissions.Prefixes.GrantType + &quot;custom_flow_name&quot;
</code></pre><h3 id="example-1">Example</h3>
<p>In the following example, the <code>postman</code> application can only use the authorization code grant
while <code>console</code> is restricted to the <code>password</code> and <code>refresh_token</code> grants:</p>
<pre><code class="lang-csharp">if (await manager.FindByClientIdAsync(&quot;postman&quot;) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = &quot;postman&quot;,
DisplayName = &quot;Postman&quot;,
RedirectUris = { new Uri(&quot;https://www.getpostman.com/oauth2/callback&quot;) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode
}
});
}
if (await manager.FindByClientIdAsync(&quot;console&quot;) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = &quot;console&quot;,
DisplayName = &quot;Console&quot;,
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.Password,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken
}
});
}
</code></pre><h3 id="disabling-grant-type-permissions">Disabling grant type permissions</h3>
<p>If you don&#39;t want to use grant type permissions, call <code>options.IgnoreGrantTypePermissions()</code> to ignore them:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.IgnoreGrantTypePermissions();
});
</code></pre><h2 id="scope-permissions">Scope permissions</h2>
<h3 id="definition-2">Definition</h3>
<p>Scope permissions limit the scopes (standard or custom) a client application is allowed to use.</p>
<div class="NOTE"><h5>Note</h5><p>The <code>openid</code> and <code>offline_access</code> scopes are special-cased by OpenIddict and don&#39;t require explicit permissions.</p>
</div>
<h3 id="supported-permissions-2">Supported permissions</h3>
<table>
<thead>
<tr>
<th style="text-align:center">Scope</th>
<th style="text-align:center">Constant</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:center">address</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Scopes.Address</code></td>
</tr>
<tr>
<td style="text-align:center">email</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Scopes.Email</code></td>
</tr>
<tr>
<td style="text-align:center">phone</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Scopes.Phone</code></td>
</tr>
<tr>
<td style="text-align:center">profile</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Scopes.Profile</code></td>
</tr>
<tr>
<td style="text-align:center">roles</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.Scopes.Roles</code></td>
</tr>
</tbody>
</table>
<p>To add a custom scope permission, you can use the following pattern:</p>
<pre><code class="lang-csharp">OpenIddictConstants.Permissions.Prefixes.Scope + &quot;custom_scope_name&quot;
</code></pre><h3 id="example-2">Example</h3>
<p>In the following sample, the <code>angular</code> client is allowed to request the <code>address</code>,
<code>profile</code> and <code>marketing_api</code> scopes: any other scope will result in an error being returned.</p>
<pre><code class="lang-csharp">if (await manager.FindByClientIdAsync(&quot;angular&quot;) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = &quot;angular&quot;,
DisplayName = &quot;Angular&quot;,
RedirectUris = { new Uri(&quot;https://localhost:34422/callback&quot;) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.GrantTypes.Implicit,
OpenIddictConstants.Permissions.Scopes.Address,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + &quot;marketing_api&quot;
}
});
}
</code></pre><h3 id="disabling-scope-permissions">Disabling scope permissions</h3>
<p>If you don&#39;t want to use scope permissions, call <code>options.IgnoreScopePermissions()</code> to ignore them:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.IgnoreScopePermissions();
});
</code></pre><h2 id="response-type-permissions">Response type permissions</h2>
<div class="NOTE"><h5>Note</h5><p>Response type permissions were introduced in OpenIddict 3.0.</p>
</div>
<h3 id="definition-3">Definition</h3>
<p>Response type permissions limit the response types a client application is allowed to use when implementing an interactive flow like code, implicit or hybrid.</p>
<h3 id="supported-permissions-3">Supported permissions</h3>
<table>
<thead>
<tr>
<th style="text-align:center">Response type</th>
<th style="text-align:center">Constant</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:center">code</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.Code</code></td>
</tr>
<tr>
<td style="text-align:center">code id_token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken</code></td>
</tr>
<tr>
<td style="text-align:center">code id_token token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken</code></td>
</tr>
<tr>
<td style="text-align:center">code token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.CodeToken</code></td>
</tr>
<tr>
<td style="text-align:center">id_token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.IdToken</code></td>
</tr>
<tr>
<td style="text-align:center">id_token token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken</code></td>
</tr>
<tr>
<td style="text-align:center">none</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.None</code></td>
</tr>
<tr>
<td style="text-align:center">token</td>
<td style="text-align:center"><code>OpenIddictConstants.Permissions.ResponseTypes.Token</code></td>
</tr>
</tbody>
</table>
<h3 id="example-3">Example</h3>
<p>In the following example, the <code>postman</code> application can only use the <code>code id_token</code> response type:</p>
<pre><code class="lang-csharp">if (await manager.FindByClientIdAsync(&quot;postman&quot;) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = &quot;postman&quot;,
DisplayName = &quot;Postman&quot;,
RedirectUris = { new Uri(&quot;https://www.getpostman.com/oauth2/callback&quot;) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken
}
});
}
</code></pre><h3 id="disabling-response-type-permissions">Disabling response type permissions</h3>
<p>If you don&#39;t want to use response type permissions, call <code>options.IgnoreResponseTypePermissions()</code> to ignore them:</p>
<pre><code class="lang-csharp">services.AddOpenIddict()
.AddServer(options =&gt;
{
options.IgnoreResponseTypePermissions();
});
</code></pre></article>
</div>
</main>
</div>
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js" integrity="sha384-OgVRvuATP1z7JjHLkuOU7Xw704+h835Lr+6QL9UvYjZE3Ipu6Tp75j7Bh/kR0JKI" crossorigin="anonymous"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/10.1.1/highlight.min.js"></script>
<script type="text/javascript" src="../styles/jquery.twbsPagination.js"></script>
<script type="text/javascript" src="../styles/url.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/anchor-js/anchor.min.js"></script>
<script type="text/javascript" src="../styles/docfx.js"></script>
<script type="text/javascript" src="../styles/main.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink