CODEWITHSUNDEEP
identityserver4
Jonesie
Jonesie

Reputation: 7285

Get an identity token for a client

Using IdentitServer4 I've create a client for a windows application. To call into another authentication service (ie, AWS STS) I need to setup federation to my ID server and using an identity token.

Is it possible to get an identity token for a client?

The following code give me the access token but the identity token is null.

    var disco = await DiscoveryClient.GetAsync(Properties.Settings.Default.IdentityUrl);
    if (disco.IsError)
    {
      return false;
    }

    var tokenClient = new TokenClient(disco.TokenEndpoint, _executionContext.ClientID, _executionContext.Secret);
    var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api.v1");

    _executionContext.AgentToken = tokenResponse.AccessToken;  // OK
    _executionContext.IdentityToken = tokenResponse.IdentityToken; // NULL

Upvotes: 0

Views: 484

Answers (1)

user4864425
user4864425

Reputation:

No, by definition a client cannot request an identity token for itself. Only on behalf of a user. From the docs:

User

A user is a human that is using a registered client to access resources.

Client

A client is a piece of software that requests tokens from IdentityServer - either for authenticating a user (requesting an identity token) or for accessing a resource (requesting an access token).

The reason that a client can't request an identity token for itself is because it doesn't have (and can't have) a sub claim:

The presence (or absence) of the sub claim lets the API distinguish between calls on behalf of clients and calls on behalf of users.

Here's an example on how to request an identity token on behalf of a user using the password grant.

Upvotes: 1

Related Questions