IdenityServer4 doubts on IdentityResource, usercalims

0
votes

I have doubt on Identity Resource user claims

I have configured as below Scenario-1

identity resource ("family") --> user claims as [ "kid1", "kid2", "wife"]

Q1: as per the documentation "List of associated user claim types that should be included in the identity token." But I cant see this in identity token?

Scenario-2

IS configuration

identity resource ("family" ) --> user claims [ "kid1", "kid2", "wife"]

API Scope (api1) --> user claims ["role"] API Scope (api2) --> user claims ["country", "address"]

API Resource (TestAPI2Test) --> API Scopes [ "api1", "api2"] AND user claims ["role", "wife"] API Resource (TestAPI1) --> API Scopes [ "api1", "api2"] AND user claims ["role", "siblings", "wife"] API Resource (testResource) --> API Scopes [ "api2"] AND user claims ["role", "siblings", "kid1", "name" ]

Angular Client Configuration requested scopes: [openid profile api1 offline_access family]

access_token

"aud": [
"TestAPI1",
"TestAPI2Test",
"https://localhost:5001/resources"
],
"idp": "local",
"role": "admin",
"wife": "Sandra",
"sid": "BD5F4222976FFE2752168EFDE9391B2B",
"iat": 1621413193,
"scope": [
"openid",
"profile",
"api1",
"family",
"offline_access"
],

Q2: Why I can not see the identity resource user claims "kid1", "kid2" with the access_token? Q3: I can see that only API Resource user claims only included in the access_token, Identity token user claims are retuned when requesting the user end point?

can you advise/clarify on Q1 , Q2 and Q3 ?

1
identityserver4

1 Answers

0
votes

you can configure in the client configuration in IdentityServer if the claims should be included in the ID-Token or if they should be retrieved separately from the /UserInfo endpoint.

You set this using this flag: AlwaysIncludeUserClaimsInIdToken = true/false;

Only the userClaims added to the ApiScope and ApiResources will be included in the access token.

Claims/scopes added under the IdentityResource controls what ends up in the ID-token/UserInfo endpoint.