How to change token reponse in asp.net core 1?

Question

I'm using JWT tokens and OpenIdConnectServer. All works very well, but i can't add custom properties in token response... Here are the result:

 resource": "resource_server_1",
   "token_type": "bearer",
  "access_token": "eyJhb....LSk5PQldEVVFaTllNU",
  "expires_in": "3600"

I want to add some properties like username or role... I'm trying to add through AuthenticationProperties, but it is doesn't work. Here my code:

 public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
        {
            ClaimsIdentity identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
            identity.AddClaim(ClaimTypes.Name, "test", "token id_token");
            identity.AddClaim(ClaimTypes.Role, "test", "token id_token");


            var ticket = new AuthenticationTicket(
                new ClaimsPrincipal(identity),
                new AuthenticationProperties(new Dictionary<string, string>
                {
                    {"username", "test" }
                }),
                context.Options.AuthenticationScheme);

            ticket.SetResources(new[] { "resource_server_1" });


            context.Validated(ticket);

            return Task.FromResult<object>(null);

        }

Kévin Chalet · Accepted Answer · 2018-05-07T13:26:35.390

3

To add custom properties to token responses, you can take a look at this other SO question: Overriding TokenEndPoint in AspNet.Security.OpenIdConnect.Server

That said, this is not the approach I'd recommend. Instead, you should use the new id_token concept offered by OpenID Connect, which is also supported for the password flow in ASOS and that allows sharing user details between the authorization server and the client apps.

For that, add scope=openid to your token request and the OIDC server middleware will start returning a JSON Web Token you'll be able to read to extract user details like a username. Note that only claims specifying the id_token destination will be included in the identity token. Read this SO post for more info: https://stackoverflow.com/a/35041102/542757

(on a related note, you're not adding a ClaimTypes.NameIdentifier claim to your authentication ticket: this is not a legal operation as the OIDC server middleware needs a unique id to identify the user)

edited May 07 '18 at 13:26

answered Apr 12 '16 at 18:21

Kévin Chalet

39,509
7
121
131

thanks for the answer. Can u please write some example?I'm trying to add claims for your links http://stackoverflow.com/a/35041102/542757 ,but the output remains the same...=( only `"resource": "resource_server_1", "token_type": "bearer", "access_token": "eydCInHAm...Q", "expires_in": "3600" }` – alexqq Apr 12 '16 at 19:39
Can you please share the token request you're sending? – Kévin Chalet Apr 12 '16 at 20:07
with test data :) `grant_type : password, username : test, password : test` on /connect/token – alexqq Apr 12 '16 at 20:10
And where's the scope=openid parameter? :P – Kévin Chalet Apr 12 '16 at 20:11
Add this. Response : `"resource": "resource_server_1", "token_type": "bearer", "access_token": "ewNDkyMjcyLCJ1bmlx...OiJqa2R6Ii", "expires_in": "3600", "id_token": "eyJhaWF0I..r" }` – alexqq Apr 12 '16 at 20:19
Then problem solved, since you now get an identity token. – Kévin Chalet Apr 12 '16 at 20:19
How to add in response to other fields?I want to send to the client userName or email in response... only http://stackoverflow.com/questions/34074787/overriding-tokenendpoint-in-aspnet-security-openidconnect-server ? – alexqq Apr 12 '16 at 20:24
If you're not afraid of implementing something non-standard, then yes, follow what's indicated on that other thread. But really, you SHOULD use the identity token instead. – Kévin Chalet Apr 12 '16 at 20:26

How to change token reponse in asp.net core 1?

1 Answers1