Getting access token claims in claims principal in IdentityServer4

1
votes

I'm trying to get my head around oAuth2/IdentityServer4.

Using the sample application at
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Quickstarts/3_ImplicitFlowAuthentication

The following code in the MVC application:

 @foreach (var claim in User.Claims)
    {
        <dt>@claim.Type</dt>
        <dd>@claim.Value</dd>
    }

Returns what appears to be identity token claims

nbf
1467173142
exp
1467173442
iss
http://localhost:5000
aud
mvc
nonce
636027699106782287.MDI0YzI5MTQtYmQxNy00MDllLWJmYzQtZjBhYzI2MGNjYmE3MDFmNzg1YmUtM2Y5ZC00YjBiLWEzOGItN2Q3ODRiODJlYjFl
iat
1467173142
c_hash
H2i5QeJKlHM5-s8vUTYlOw
sid
42b58d38e2b7c6cc653492742a08840b
sub
818727
auth_time
1467170555
idp
idsvr
name
Alice Smith
given_name
Alice
family_name
Smith
website
http://alice.com
amr
pwd

The following code in the API project

 var claims = User.Claims.Select(c => new { c.Type, c.Value });
 return new JsonResult(claims);

Returns what appears to be access token claims

{
   "Type": "nbf",
   "Value": "1467173142"
},
{
   "Type": "exp",
   "Value": "1467176742"
},
{
   "Type": "iss",
   "Value": "http://localhost:5000"
},
{
   "Type": "aud",
   "Value": "http://localhost:5000/resources"
},
{
   "Type": "client_id",
   "Value": "mvc"
},
{
   "Type": "scope",
   "Value": "openid"
},
{
   "Type": "scope",
   "Value": "profile"
},
{
   "Type": "scope",
  "Value": "api1"
},
{
   "Type": "sub",
   "Value": "818727"
},
{
   "Type": "auth_time",
   "Value": "1467170555"
},
{
   "Type": "idp",
   "Value": "idsvr"
}

Notice the code is essentially the same (return claims in the user identity principle) and lack of name/email but the inclusion of scope claims in the API example.

The token flow is essentially IdentityServer4 => MVC Project => API Project. Obviously the MVC project has both the identityToken and access token but it's not load the access token int User.Claims.

My goal is to have the scope claims available in User in the MVC project so that I can setup policies to work the Authorize attribute section off my MVC methods.

Startup for the API project is here: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs

Startup for the MVC project is here: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/3_ImplicitFlowAuthentication/src/Api/Startup.cs

Thanks, dave

1
asp.net-core-mvcidentityserver4asp.net-core-webapi

1 Answers

5
votes

The question is kind of invalid, but I'll leave it here with reasons why and a solution to save others time.

Firstly, there are two tokens for two different purposes.

  1. The Access Token: Describes the client, which is the software that uses the API. Any claims in here are granting the client access to API endpoints.

  2. The Identity Token: This describes the User, or the human that uses the software that uses the API.

The original question was asking how to view Client related scopes in an Identity token, which obviously isn't valid.

However, you can include Identity scopes in an Identity token.

To do this, set Type to ScopeType.Resource and set IncludeAllClaimsForUser to true, as follows 

 new Scope()
            {
              Name  = "ManageUsers",
              IncludeAllClaimsForUser = true,
              Type = ScopeType.Resource
            },