Reputation: 13367
Identity Server 4 add custom claims to User
I have set up Identity Server 4 (a while back, so I have forgotten a lot of things) and I am trying to set claims on the current logged in User. When I login and use a filter to see what claims they have I can see this:
You can see from this image that my scopes, claims and roles have been added to the user which is good. But the claims have a type of Role which I think is wrong. I want to change that to Claim instead:
I have searched my application for ClaimTypes.Role and role but cannot find where I have set this up.
Is this something that can be done easily?
Upvotes: 0
Views: 3594
Answers (1)
Reputation: 13367
I managed to sort this out; so basically I already had roles set up. I just didn't understand how I had done it in the past. The main thing to do was set up the ApiResource which I did like this:
new ApiResource(IdentityConstants.ApiResources.IdentityServer, "Identity Server", new[] {JwtClaimTypes.Role, IdentityConstants.ClaimTypes.Permission})
My constants class just has a few static strings set up like this:
public static class SituIdentityConstants
{
public static class ApiResources
{
public const string Sxp = "sxp";
public const string IdentityServer = "identity-server";
}
public static class ClaimTypes
{
public const string Permission = "permission";
}
}
Once that was done; I updated my seed and included this:
private static void CreateApiResources(ConfigurationDbContext context)
{
var scopes = ListApiScopes();
var resources = ListApiResources();
foreach (var scope in scopes)
if (!context.ApiScopes.Any(m => m.Name.Equals(scope.Name)))
context.ApiScopes.Add(scope.ToEntity());
foreach (var resource in resources)
{
if (context.ApiResources.Any(m => m.Name.Equals(resource.Name))) continue;
var entity = resource.ToEntity();
entity.Scopes = scopes.Select(m => new ApiResourceScope
{
Scope = m.Name
}).ToList();
context.Add(entity);
}
context.SaveChanges();
}
Which created all the API Resources, scopes and any ApiResourceClaims (which is what populates RequestedClaimTypes in the IProfileService.
Btw, for reference, here is my ProfileService:
public class ProfileService: IProfileService
{
private readonly IMediator _mediator;
private readonly UserManager<User> _userManager;
private readonly RoleManager<Role> _roleManager;
public ProfileService(IMediator mediator, UserManager<User> userManager, RoleManager<Role> roleManager)
{
_mediator = mediator;
_userManager = userManager;
_roleManager = roleManager;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var user = await _userManager.FindByIdAsync(context.Subject.GetSubjectId());
var rolesAttempt = await _mediator.Send(new ListRoles());
if (rolesAttempt.Failure) return;
var roles = rolesAttempt.Result;
var issuedClaims = new List<System.Security.Claims.Claim>();
foreach (var role in roles)
{
if (!user.Roles.Any(m => m.RoleId.Equals(role.Id))) continue;
issuedClaims.Add(new System.Security.Claims.Claim(JwtClaimTypes.Role, role.Name));
var roleClaims = await _roleManager.GetClaimsAsync(new Role {Id = role.Id});
issuedClaims.AddRange(roleClaims.Where(m => context.RequestedClaimTypes.Any(x => x.Equals(m.Type))));
}
context.IssuedClaims = issuedClaims;
}
public async Task IsActiveAsync(IsActiveContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var active = (user != null && (!user.LockoutEnabled || user.LockoutEnd == null)) ||
(user != null && user.LockoutEnabled && user.LockoutEnd != null &&
DateTime.UtcNow > user.LockoutEnd);
context.IsActive = active;
}
}
I actually found this to be a pain to set up. I tried the way the documentation states:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
// Stores clients and resources
.AddConfigurationStore(options => options.ConfigureDbContext = ConfigureDbContext)
// Stores tokens, consents, codes, etc
.AddOperationalStore(options => options.ConfigureDbContext = ConfigureDbContext)
.AddProfileService<ProfileService>()
.AddAspNetIdentity<User>();
But this would not work for me; so instead I did it like this:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
// Stores clients and resources
.AddConfigurationStore(options => options.ConfigureDbContext = ConfigureDbContext)
// Stores tokens, consents, codes, etc
.AddOperationalStore(options => options.ConfigureDbContext = ConfigureDbContext)
.AddAspNetIdentity<User>();
services.AddScoped(typeof(IProfileService), typeof(ProfileService));
That's all I needed to do for Identity Server, the RequestedClaimTypes is now populated both with "role" and "permission". The only other thing I did, was when I created a RoleClaim, I set the claim type to "permission" and it works:
{
"nbf": 1611600995,
"exp": 1611604595,
"iss": "https://localhost:44362",
"aud": [
"sxp",
"identity-server"
],
"client_id": "client",
"sub": "949cc454-d7c9-45db-9eae-59e72d3025c1",
"auth_time": 1611600983,
"idp": "local",
"role": "User Manager",
"permission": [
"users:write",
"user:read"
],
"jti": "39C9F31958972704730DA65A8FCDAAEE",
"iat": 1611600995,
"scope": [
"identity:read",
"identity:write",
"sxp:read",
"sxp:write"
],
"amr": [
"pwd"
]
}
Noice.
Upvotes: 2
Related Questions
- AspNet Identity Core - Custom Claims on Login
- How to add roles to claims in IdentityServer4?
- How to get custom claims for IdentityServer4 Itself
- Set custom claims for ClaimsIdentity using IdentityServer4 authentication
- How to get additional claims on client side in identity server 4?
- IdentityServer4 and ASP.Net Identity: Adding additional claims
- Add user claims in identityserver4
- How to properly use claims with IdentityServer4?
- How to add/manage user claims at runtime in IdentityServer4
- IdentitySever4 user claims and ASP.NET User.Identity