CODEWITHSUNDEEP
asp.net-coreidentityserver4
Kasbolat Kumakhov
Kasbolat Kumakhov

Reputation: 721

How to properly use claims with IdentityServer4?

I'm trying to understand how this works, so please bear with me. Here is my config for identity server:

    public static IEnumerable<ApiResource> GetApiResources(IConfiguration configuration)
    {
        return new []
        {
            new ApiResource
            {
                Name = "invoices.api",

                ApiSecrets =
                {
                    new Secret("invoices.api.secret".Sha256()),
                },

                Scopes =
                {
                    new Scope("invoices.api.scope"),
                },

                UserClaims =
                {
                    "custom_role",
                }
            }
        };
    }

    public static IEnumerable<Client> GetClients(IConfiguration configuration)
    {
        return new []
        {
            new Client
            {
                ClientId = "invoices.ui",
                RequireConsent = false,
                AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
                AccessTokenType = AccessTokenType.Reference,

                AllowedCorsOrigins = configuration.GetSection("Redirect").Get<RedirectOptions>().AllowedCorsOrigins.ToList(),
                RedirectUris = configuration.GetSection("Redirect").Get<RedirectOptions>().RedirectUris.ToList(),
                PostLogoutRedirectUris = configuration.GetSection("Redirect").Get<RedirectOptions>().PostLogoutRedirectUris.ToList(),

                ClientSecrets =
                {
                    new Secret("invoices.ui.secret".Sha256())
                },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    "invoices.api.scope",
                },
            }
        };
    }

    public static IEnumerable<TestUser> GetUsers(IConfiguration configuration)
    {
        return new []
        {
            new TestUser
            {
                SubjectId = "1",
                Username = "alice",
                Password = "123",
                Claims =
                {
                    new Claim("custom_role", "user"),
                },
            },
            new TestUser
            {
                SubjectId = "2",
                Username = "bob",
                Password = "123",
                Claims =
                {
                    new Claim("custom_role", "admin"),
                },
            }
        };
    }

    public static IEnumerable<IdentityResource> GetIdentityResources(IConfiguration configuration)
    {
        return new []
        {
            new IdentityResources.OpenId(),
        };
    }

And this is how my MVC client is setup:

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie(opts =>
    {
        //opts.ExpireTimeSpan = TimeSpan.FromSeconds(60);
    })
    .AddOpenIdConnect("oidc", opts =>
    {
        opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

        opts.DisableTelemetry = true;

        opts.Authority = Configuration.GetValue<string>("IdentityServer");
        opts.RequireHttpsMetadata = false;

        opts.ClientId = "invoices.ui";
        opts.ClientSecret = "invoices.ui.secret";
        opts.ResponseType = "code id_token";

        opts.SaveTokens = true;
        opts.GetClaimsFromUserInfoEndpoint = true;

        opts.Scope.Clear();
        opts.Scope.Add("openid");
        opts.Scope.Add("invoices.api.scope");
    });

After a user is authenticated, i'm trying to see it's claims in view like this:

    @foreach (var claim in User.Claims)
    {
        <dt>@claim.Type</dt>
        <dd>@claim.Value</dd>
    }

But the list doesn't contain any "custom_role" claim. The identity server logs shows that the user info has been requested by the client from user info endpoint, but my "custom_role" wasn't transfered there, however it shows in logs of identity server, that user has it.

How to access my custom claims in my MVC app? I need to get them from user endpoint and use for authorization.

Upvotes: 1

Views: 2187

Answers (2)

Kasbolat Kumakhov
Kasbolat Kumakhov

Reputation: 721

Seems that adding an identity resource with specified claims solves the problem even with built-in ProfileService implementation:

    public static IEnumerable<IdentityResource> GetIdentityResources(IConfiguration configuration)
    {
        return new []
        {
            new IdentityResources.OpenId(),
            new IdentityResource
            {
                Name = "roles.scope",
                UserClaims =
                {
                    "custom_role",
                }
            }
        };
    }

Also added it as a scope for a client:

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        "invoices.api.scope",
        "roles.scope",
    },

Upvotes: 0

Richard
Richard

Reputation: 1584

If you ask for an Access Token and Identity Token ("code id_token") Identity Server will not include user claims by default.

The solution is to set AlwaysIncludeUserClaimsInIdToken to true. See http://docs.identityserver.io/en/release/reference/client.html

The explanation on why this settings exists is here: https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/

Upvotes: 1

Related Questions