一.介绍
用户请求受保护的api程序时,会带上access_token去访问,受保护的api程序会检查access_token, 如何获取到access_token中有用的额外信息呢,如用户ID,用户姓名。当拿到一个access_token去解析(jwt在线解密)成json格式,会发现sub是用户ID,preferred_username是用户的UserName,分别对应如下:
如果想在access_token额外加入其它信息,如FullName 等,如何做呢?
点击菜单Clients-->vendorotthapi-webapi-->Client scopes--> vendorotthapi-webapi-dedicated 描述是:Dedicated scope and mappers for this client 意思是专用的scope映射到这个client中。
点击vendorotthapi-webapi-dedicated -->Add mapper下拉选择Add predefined mappers意思是预先定义的-->选择fullname,(除了这些预先定义,还可以选择下拉By configuration,灵活自定义更多信息加入到token中)如下所示:
接着点击菜单Users-->Details-->LastName 填写保存如下所示:
获取access_token后再解析,如下所示:
{
"exp": 1670660768,
"iat": 1670660168,
"jti": "5388ad8d-b5cf-42cd-abf9-b4a56fea6fd5",
"iss": "https://xxx.com/realms/ebs",
"aud": "account",
"sub": "4a9f5e04-480c-4aa0-8696-fbb7b8c55585",
"typ": "Bearer",
"azp": "xxx-webapi",
"session_state": "ae513bd4-8755-409e-938b-cb2dd74d8c6b",
"acr": "1",
"realm_access": {
"roles": ["default-roles-ebs", "offline_access", "uma_authorization"]
},
"resource_access": {
"account": {
"roles": ["manage-account", "manage-account-links", "view-profile"]
}
},
"scope": "profile email",
"sid": "xx513bd4-8755-409e-938b-cb2dd74d8c6b",
"email_verified": false,
"name": "EBS",
"preferred_username": "ebs",
"locale": "en",
"given_name": "",
"family_name": "EBS"
}