1

I have a working authorization setup and obtain a token that contains the below. Seemingly, everything behaves as supposed to, the verification in profiles kicks in as expected etc.

{ ...
"awo": "bazinga",
"...schemas.microsoft.com../role": [ "role1", "role2", ... ]
"scope": [ "openid", ..., "roles"],
}

Now, I'd like to have an additional, custom, claim to be added in the access token. According to everywhere where I read, I'm supposed to implment a custom IProfileService, as shown here. So I added a dummy service not causing any changes, at first.

services.AddIdentityServer(options => ...)
    .AddInMemoryClients(Clients.Obtain())
    ...
    .AddTestUsers(TestUsers.Obtain().ToList())
    .AddProfileService<ProfileService>()
    .AddDeveloperSigningCredential();

public async Task GetProfileDataAsync(ProfileDataRequestContext context) { }

public async Task IsActiveAsync(IsActiveContext context) { }

That had the effect that the requested claims disappered! I still see the standard claims like sub and exp as well as the scope. But the role claim is gone (and with it all the other claims I'm making in the definition of my TestUser instance. I have no idea why and googling this gave me absolutely nothing. Nada. Zero. Ziltch.

Further, I discovered two things. First one is that the disappeared claims are mentioned by type in the context under context.RequestedClaimTypes (no values, just the types). The second thing I noticed was that if I ammend a claim like below, it does get through to the access token. So, I'm kind of satisfied with what happens, except for the caveat that the previous stuff goes bye-bye. I tried to lurk it out from the context and re-add it but I didn't see them there.

public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
    IEnumerable<string> temp = context.RequestedClaimTypes;

    Claim[] claims = { new Claim("hazaa", "shazoo") };
    context.IssuedClaims.AddRange(claims);
}

I have no sense for whether I'm super close and just missing a tiny detail, like a back-feed to the profiling pipeline or base class, somehow. Or if I'm far off and drifting away. Any input on how to investigate it further will be appreciated. (A working solution would be best but I'm not picky and there's a lot of fighting spirit left.)

I've tried to add services.AddScoped<IProfileService, ProfileService>() based on this - no change in behavior. I've tried verifying details from here, here and here - nothing of useful relevance. In this question, I believe they had the same problem but the solution isn't applicable in my case. I've tried setting AlwaysIncludeUserClaimsInIdToken as suggested here - only change is being that the method GetProfileDataAsync gets called one/twice, as expected. I've set AlwaysSendClientClaims and UpdateAccessTokenClaimsOnRefresh as discussed here and here - no change.

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • _"the requested claims disappered!"_: [see the `DefaultProfileService`](https://github.com/DuendeSoftware/IdentityServer/blob/d6a3193d4bed0cf1340de31dc378c10a31974e86/src/IdentityServer/Services/Default/DefaultProfileService.cs#L37-L44), `context.AddRequestedClaims()` in particular. In fact, use that as the starting point. It adds the requested claims to the token so that you don't end up with an empty token. – abdusco Jul 30 '21 at 17:34
  • It's funny that not one of the links you posted points to `context.AddRequestedClaims` method used in the default implementation. – abdusco Jul 30 '21 at 17:36
  • @abdusco Scratch the last part. I think I'm simply too tired by now. I actually posted an image of the `AddRequestedClaims()` in the intellisense, while still claiming that it didn't show it to me. Simply retarded... Done coding for today! You should post your comment as an answer anyway. I can't be the only confused soul fighting this. It's definitely not sloppiness, as I put a lot of effort. Perhaps I'm just too old and dumb. :D – Konrad Viltersten Jul 30 '21 at 17:49
  • Before you post an answer, though, there **is** one more issue I notice. The role I'm adding right before I sign in, that one appears in the `context.Subject.Claims`, However, when I check `context.RequestedClaimTypes`, (it's the types, without the actual values, that I declared in my test user instance) I see the roles I'd like to add too but I can't see how. Is it because I (yet) work with test users and not instances from a DB? – Konrad Viltersten Jul 30 '21 at 18:05

0 Answers0