How do you request an Identity Token (id_token) in IdentityServerr4

1
votes

I'm new to Identity Server and am confused on the topic of Identity & Access tokens. I understand access tokens are meant to secure resources (i.e. web api) and that identity tokens are used to authenticate. However, whenever I call /connect/token I always receive an "access_token". Within the request I've asked for a client which has various scopes and claims.

new Client
            {             
                ClientId = "Tetris",
                ClientName = "Tetris Web Api",
                AccessTokenLifetime = 60*60*24,
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
                RequireClientSecret = false,
                AllowedScopes = {"openid", "TetrisApi", "TetrisIdentity"}
            }



public static IEnumerable<ApiResource> GetApiResources()
        {
            return new[]
            {
                new ApiResource("TetrisApi", "Tetris Web API", new[] { JwtClaimTypes.Name, JwtClaimTypes.Role, "module" })
            };
        }

        public static IEnumerable<IdentityResource> GetIdentityResources()
        {
            return new List<IdentityResource>
            {
                new IdentityResources.OpenId(),
                new IdentityResources.Profile(),
                new IdentityResource
                {
                    Name = "TetrisIdentity",
                    UserClaims =
                        new[]
                        {
                            JwtClaimTypes.Name,
                            JwtClaimTypes.Role,
                            JwtClaimTypes.GivenName,
                            JwtClaimTypes.FamilyName,
                            JwtClaimTypes.Email,
                            "module",
                            "module.permissions"
                        }
                }
            };
        }

Below is a copy of postman: enter image description here

Any thoughts? I didn't see an example in the Quickstarts that employs Identity Tokens.

Thanks!

2
identityserver4

2 Answers

2
votes

The password grant type does not support identity tokens. See RFC6749.

The best you can do here is to use the access token to get claims for the user using the userinfo endpoint.

The recommendation is to use an interactive flow like implicit or hybrid for end-user authentication.

2
votes

@leastprivilege 's answer is correct but instead of calling the userinfo endpoint, you also have the option of including the UserClaims you desire in your ApiResource definition.

At the moment you request new[] { JwtClaimTypes.Name, JwtClaimTypes.Role, "module" }, but if you changed that to include all the claims you (currently) define as part of the IdentityResources then those claims will also be available in the access_token.