1

I would like to be able to issue a phone_number claim xor email claim depending on what is required by the client. I use Identity Server 5(Duende) but the answer will be the same for Identity Server 4.

I understand that I can add a claim to identity token in ProfileService, however how to configure the client in the db so I will be able to check what is required by a client in the profile service?

Yoda
  • 17,363
  • 67
  • 204
  • 344

1 Answers1

1

The additional claims should be configured in either ApiScopeClaims/ApiResourceClaims or IdentityResourceClaims depending on if the claim should be include in the access token or the id token (could be both).

For example you if have:

IdentityResource { Id = 1, Name = "profile" }

Then in IdentityResourceClaims table you should add:

IdentityResourceClaim { Id = 1, IdentityResourceId = 1, Type = "phone_number" } IdentityResourceClaim { Id = 2, IdentityResourceId = 1, Type = "email" }

Then when the client requests the profile scope, phone_number and email claim types will be included in ProfileDataRequestContext.RequestedClaimTypes in the ProfileService.

Then inside ProfileService you can use ProfileDataRequestContext.RequestedClaimTypes and context.AddRequestedClaims to only add the Claims the were requested from the client:

public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
    if (context.RequestedClaimTypes.Any())
    {
        ...

        // create the user claims list
        var claims = CreateClaims(user);

        // this will filter claims list and only add those requested by the client
        context.AddRequestedClaims(claims);
    }
}
Dimitris Maragkos
  • 8,932
  • 2
  • 8
  • 26
  • Is `ClientClaims` not correct table? I think no, but want to be sure, as this is a UserClaim that I want to issue but conditionally, then what you propose `ClientProperties` would be a correct way. – Yoda Sep 22 '22 at 11:04
  • Updated with better answer. – Dimitris Maragkos Sep 22 '22 at 11:40
  • Thank you very much, but there is sth I don't understand, how to indicate in the db that a one client wants email but other wants phone_number? It's one xor the other. Because what you are showing seems to be a global config for all the clients that they will always get email and phone, but I want to specify that they can get one xor other. – Yoda Sep 22 '22 at 12:40
  • 1
    In the database you define the client's `AllowedScopes`. Then when the authentication flow happens that client requests some or all of those scopes. Each scope is linked to claims. So if you create a scope that is linked to `phone_number` claim and only allow this scope to a specific client, then only this client will get `phone_number` claim. – Dimitris Maragkos Sep 22 '22 at 12:40
  • Last question because I can't find it in the docs, I can't see `AllowedScopes` table but I see `ClientScopes` one is this is the one where I define those `AllowedScopes`? – Yoda Sep 22 '22 at 13:52
  • 1
    Yes you should define the scopes in the `ClientScopes` table. – Dimitris Maragkos Sep 22 '22 at 13:57