CODEWITHSUNDEEP
identityserver3identityserver4
Fab
Fab

Reputation: 954

Identity Server and Access Token Claims

I'm using identity server 3 with windows authentication and adding claims to user's token. I noticed GetProfileDataAsync is called twice which the callers are "ClaimsProviderAccessToken" which doesn't have any requested claims and "ClaimsProviderIdentityToken" is the caller which does. How do I get the RequestedClaimTypes such as Role, Email, whatever in the "ClaimsProviderAccessToken" ??

public override Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        // issue the claims for the user
        var user = Users.SingleOrDefault(x => x.Subject == context.Subject.GetSubjectId());
        if (user != null && context.RequestedClaimTypes != null)
        {
            context.IssuedClaims = user.Claims.Where(x => context.RequestedClaimTypes.Contains(x.Type));
        }
        //NOTE: Uncomment and all the claims I need are in access token ?? Comment out and no claims in Access Token ??
        //context.IssuedClaims = user.Claims;

        return Task.FromResult(0);
    }

Here's my scope claim that is requesting the claims to be in access token:

new Scope
                {
                    Name = "api",
                    Enabled = true,
                    DisplayName = "Sample API",
                    Description = "Access to a simple API",
                    Type= ScopeType.Resource,
                    IncludeAllClaimsForUser = true,


                   Claims = new List<ScopeClaim>
                   {

                       new ScopeClaim(Constants.ClaimTypes.Name),
                       new ScopeClaim(Constants.ClaimTypes.Role),
                       new ScopeClaim(Constants.ClaimTypes.Email),                          
                   },


                    ScopeSecrets = new List<Secret>
                    {
                        new Secret("api-secret".Sha256())
                    }
                }

Am I missing something or is it correct to just set the context.IssuedClaims to the user.Claims or should I file by RequestedClaimTypes?? I'm really lost a little trying to figure how this works and not sure if setting context.IssuedClaims = user.Claims although this seems like the behavior I need ???

Upvotes: 0

Views: 992

Answers (1)

Fab
Fab

Reputation: 954

I actually found the answer, setting the IncludeAllClaimsForUser = true clears out the claims, once I removed that the context.RequestedClaimsTypes are not null when requesting the access token.

Upvotes: 0

Related Questions