When is ProfileDataRequestContext.RequestedClaimTypes not empty?

Question

I'm trying out IdentityServer4 demo project and I'm adding user claims to ProfileDataRequestContext.IssuedClaims in IProfileService implementation. One thing I've noticed is that there is a context.RequestedClaimTypes collection, which is always empty in any resource/identity/scope configuration variations I've tried. Under what condition does this collection has data?

Answer 1

Answer: https://github.com/IdentityServer/IdentityServer4/issues/1067

Whenever you request a scope that has associated claims.

Answer 2

If in the definition of your ApiResources you define UserClaims, these will then be populated in the context.RequestClaimTypes. For example:

new ApiResource
{
  Name = "TestAPI",
  ApiSecrets = { new Secret("secret".Sha256()) },
  UserClaims = {
    JwtClaimTypes.Email,
    JwtClaimTypes.EmailVerified,
    JwtClaimTypes.PhoneNumber,
    JwtClaimTypes.PhoneNumberVerified,
    JwtClaimTypes.GivenName,
    JwtClaimTypes.FamilyName,
    JwtClaimTypes.PreferredUserName
                    },
  Description = "Test API",
  DisplayName = "Test API",
  Enabled = true,
  Scopes = { new Scope("testApiScore) }
}

Then your ProfileDataRequestContext.RequestClaimTypes will contain these request claims, for your Identity Server to fulfil how you see fit.

Answer 3

I've found out that it if you set client.GetClaimsFromUserInfoEndpoint = true and additional roundtrip is made to /connect/userinfo endpoint and the request has requested value "sub".