How to request additional claims for access token in identity server 4 / auth code flow?

Question

How do you request additional claims for the access token jwt in identity server 4 / auth code flow? My custom profile service always shows RequestedClaimTypes of 0 during my auth code flow signin so the resulting access token jwt has my subject claim but no firstname, lastname, or email claim.

Here are my requested scopes from the client: "TestApi openid profile email"

Here is my client definition on identity server:

 new Client {                    
                ClientId = "authorizationCodeClient2",
                ClientName = "Authorization Code Test",
                ClientSecrets = {
                                        new Secret("secret".Sha256())
                                },
                Enabled = true,
                AllowedGrantTypes = GrantTypes.Code,
                RequireConsent = true,
                AllowRememberConsent = false,
                RedirectUris =
                new List<string> {
                 "http://localhost:5436/account/oAuth2"
                },                    
                AllowedScopes = { "TestApi", "openid", "profile", "email" },
                AccessTokenType = AccessTokenType.Jwt
            }

Using https://github.com/bayardw/IdentityServer4.Authorization.Code for the test client.

user2368632 user2368632 · Accepted Answer · 2017-10-28T02:50:34

I discovered that identity server will let you optionally stamp the id token with the user profile claims (instead of having to call the userinfo endpoint). You basically set a Boolean property for that particular client:

AlwaysIncludeUserClaimsInIdToken = true;

Note, you will want to request the following scopes on your auth request : (openid profile email)

How to request additional claims for access token in identity server 4 / auth code flow?

1 Answers