CODEWITHSUNDEEP
oauthopenididentityserver4openid-connect
Ori.Lin
Ori.Lin

Reputation: 541

How to set oidc ResponseType to get both claims and access_token?

Recently I am working on an SSO with IdentityServer4, when I debug the code, I found that the ResponseType setting cause a tricky problem. When I set My Client like this:

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
        services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";
                options.Authority = Configuration["Auth:IdentityServer"];
                options.RequireHttpsMetadata = false;

                options.ClientId = Configuration["Auth:ClientId"];
                options.ClientSecret = Configuration["Auth:ClientSecret"];
                options.ResponseType = "id_token";
                options.SaveTokens = true;
                //options.Scope.Add("8e6144b5-87f6-4638-bf08-1a64599a8b39");
                options.Scope.Add("offline_access");
                options.GetClaimsFromUserInfoEndpoint = true;
            });

I can get claims like this(with full claim list): enter image description here But when I change the responseType like this options.ResponseType = "id_token token"; The claims is like this(only a little claims issued):

enter image description here

If I want both full claim list and access token when user log in, what should I do to get both of them?

Upvotes: 1

Views: 2402

Answers (2)

Randy
Randy

Reputation: 1255

By default, IdentityServer will not provide user claims in the identity token if an access token is requested along with it. You can see this happening in the source code here. To make sure the identity token always contains the user claims (whether an access token is requested with it or not) is to set AlwaysIncludeUserClaimsInIdToken to true on your client.

Upvotes: 1

m3n7alsnak3
m3n7alsnak3

Reputation: 3156

I see that you are trying to use one of the examples from the documentation. Correct me if I'm wrong.

If not then - change your flow to Hybrid (which means ResponseType = "code id_token token"). Do that on the identity server side too. To the scopes add also openid and profile. And then, where you list your claims, you can use (assuming that you are using the razor page to list them):

@foreach (var claim in ((System.Security.Claims.ClaimsPrincipal)User).Claims)
{
    <li>@claim.Type : @claim.Value</li>
}

This should list all the claims you have (including the access_token itself).

Upvotes: 0

Related Questions