How to add claims to access token get from IdentityServer3 using resource owner flow with javascript client

Asked 26/11, 2015 at 22:35 Answered 18/8, 2016 at 14:26

asp.net-web-api oauth-2.0 openid identityserver3 identityserver2

I use the resource owner flow with IdentityServer3 and send get token request to identity server token endpoint with username and password in javascript as below:

        function getToken() {
        var uid = document.getElementById("username").value;
        var pwd = document.getElementById("password").value;
        var xhr = new XMLHttpRequest();
        xhr.onload = function (e) {
            console.log(xhr.status);
            console.log(xhr.response);
            var response_data = JSON.parse(xhr.response);
            if (xhr.status === 200 && response_data.access_token) {
                getUserInfo(response_data.access_token);
                getValue(response_data.access_token);
            }
        }
        xhr.open("POST", tokenUrl);
        var data = {
            username: uid,
            password: pwd,
            grant_type: "password",
            scope: "openid profile roles",
            client_id: 'client_id'
        };
        var body = "";
        for (var key in data) {
            if (body.length) {
                body += "&";
            }
            body += key + "=";
            body += encodeURIComponent(data[key]);
        }
        xhr.setRequestHeader("Authorization", "Basic " + btoa(client_id + ":" + client_secret));
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.send(body);
    }

The access token is returned from identity server and user is authenticated. Then I use this token to send request to my Web Api.

The problem is that when I check if the user is assigned a role, I find the claim doesn't exist.

    [Authorize]
    // GET api/values
    public IEnumerable<string> Get()
    {
        var id = RequestContext.Principal as ClaimsPrincipal;
        bool geek = id.HasClaim("role", "Geek");  // false here
        bool asset_mgr = id.HasClaim("role", "asset_manager"); // false here
        return new string[] { "value1", "value2" };
    }

Here is how the client is defined in identity server.

new Client 
            {
                ClientName = "Client",
                ClientId = "client_id",
                Flow = Flows.ResourceOwner,
                RequireConsent = false,
                AllowRememberConsent = false,

                AllowedScopes = new List<string>
                {
                    "openid",
                    "profile",
                    "roles",
                    "sampleApi"
                },
                AbsoluteRefreshTokenLifetime = 86400,
                SlidingRefreshTokenLifetime = 43200,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                RefreshTokenExpiration = TokenExpiration.Sliding,
                ClientSecrets = new List<Secret>
                {
                    new Secret("4C701024-0770-4794-B93D-52B5EB6487A0".Sha256())
                },
            },

and this is how the user is defined:

new InMemoryUser
            {
                Username = "bob",
                Password = "secret",
                Subject = "1",

                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.GivenName, "Bob"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Smith"),
                    new Claim(Constants.ClaimTypes.Role, "Geek"),
                    new Claim(Constants.ClaimTypes.Role, "Foo")
                }
            }

How can I add claims to the access_token in this case? Thanks a lot!

Chine answered 26/11, 2015 at 22:35 Comment(1)

The right answer is here: #34107646 – Comeaux 6/12, 2015 at 10:13

I have just spent a while figuring this out myself. @leastprivilege's comment on Yang's answer had the clue, this answer is just expanding on it.
It's all down to how the oAuth and OIDC specs evolved, it's not an artefact of IdentityServer (which is awesome). Firstly, here is a fairly decent discussion of the differences between identity tokens and access tokens: https://github.com/IdentityServer/IdentityServer3/issues/2015 which is worth a read.

With Resource Owner flow, like you are doing, you will always get an Access Token. By default and per the spec, you shouldn't include claims in that token (see the above link for why). But, in practice, it is very nice when you can; it saves you extra effort on both client and server.

What Leastprivilege is referring to is that you need to create a scope, something like this:

new Scope
{
    Name = "member",
    DisplayName = "member",
    Type = ScopeType.Resource,

    Claims = new List<ScopeClaim>
        {
              new ScopeClaim("role"),
              new ScopeClaim(Constants.ClaimTypes.Name),
              new ScopeClaim(Constants.ClaimTypes.Email)
        },

    IncludeAllClaimsForUser = true
}

And then you need to request that scope when you ask for the token. I.e. your line scope: "openid profile roles", should change to scope: "member", (well, I say that - scopes play a dual role here, as far as I can see - they are also a form of control, i.e. the client is asking for certain scopes and can be rejected if it is not allowed those but that is another topic).

Note the important line that eluded me for a while, which is Type = ScopeType.Resource (because Access Tokens are about controlling access to resources). This means it will apply to Access Tokens and the specified claims will be included in the token (I think, possibly, against spec but wonderfully).

Finally, in my example I have included both some specific claims as well as IncludeAllClaimsForUser which is obviously silly, but just wanted to show you some options.

Dehiscent answered 21/2, 2016 at 17:6 Comment(6)

Great answer! Very clear and helpful. If my understanding is correct, does that mean access token has no intention to include claims in it and if one wants to check the user's claims a separate request would be more preferable option? That way the claims can be different to each user with the same scope. Am I right? The problem I wanted to solve was to provide different claims to different users. – Chine 22/2, 2016 at 2:28

In my application, I end up with a solution to only put generic claims in the scope and let the client application make a separate request to an api service to find out capabilities (claims) of a user. – Chine 22/2, 2016 at 2:31

@Yang, yes, technically access tokens aren't meant to include claims like names, so technically you are supposed to get that separately. It's just inconvenient. And yes, this solution will give each user their personal claims. – Dehiscent 22/2, 2016 at 7:9

Anyone know why this doesn't work in IdentityServer4? – Wini 30/10, 2016 at 5:59

This works perfectly for InMemoryUser, but when I change to use my UserService which inherits UserServiceBase, it doesn't add the roles to the access token. In AuthenticateLocalAsync, I set as the following: context.AuthenticateResult = new AuthenticateResult(context.UserName, context.UserName, claims); Anyone knows why? – Conium 3/8, 2020 at 21:3

I found the answer for Quan's question, we have to override GetProfileDataAsync and add the roles to context.IssuedClaims. More info: identityserver.github.io/Documentation/docsv2/advanced/… – Conium 3/8, 2020 at 21:38

I find I can achieve this by replacing the default IClaimsProvider of IdentityServerServiceFactory.

The cusomized IClaimsProvider is as below:

public class MyClaimsProvider : DefaultClaimsProvider
{
    public MaccapClaimsProvider(IUserService users) : base(users)
    {
    }

    public override Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
    {
        var baseclaims = base.GetAccessTokenClaimsAsync(subject, client, scopes, request);

        var claims = new List<Claim>();
        if (subject.Identity.Name == "bob")
        {
            claims.Add(new Claim("role", "super_user"));
            claims.Add(new Claim("role", "asset_manager"));
        }

        claims.AddRange(baseclaims.Result);

        return Task.FromResult(claims.AsEnumerable());
    }

    public override Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request)
    {
        var rst = base.GetIdentityTokenClaimsAsync(subject, client, scopes, includeAllIdentityClaims, request);
        return rst;
    }
}

Then, replace the IClaimsProvider like this:

// custom claims provider
factory.ClaimsProvider = new Registration<IClaimsProvider>(typeof(MyClaimsProvider));

The result is that, when the request for access token is sent to token endpoint the claims are added to the access_token.

Chine answered 27/11, 2015 at 4:49 Comment(2)

Besides that this is not the way to do it. Create a scope and assign the claims to it that you need. Then request the scope. Our default claims provider will then call the user service to retrieve the claims. – Comeaux 6/12, 2015 at 10:12

@Comeaux What if the claims are different to different users? If I associate the claims to a scope, does that mean the claims will be the same for all users? – Chine 7/12, 2015 at 3:28

Not only that I tried other methods, I tried all possible combinations of scopes etc. All I could read in the access token was "scope", "scope name", for Resource Flow there were no claims I have added period.

I had to do all this

Add custom UserServiceBase and override AuthenticateLocalAsync since I have username/password there and I need both to fetch things from the database
Add claims that I need in the same function (this on itself will not add claim to Access Token, however you will able to read them in various ClaimsPrincipal parameters around)
Add custom DefaultClaimsProvider and override GetAccessTokenClaimsAsync where ClaimsPrincipal subject contains the claims I previously set, I just take them out and put again into ølist of claims for the result.

I guess this last step might be done overriding GetProfileDataAsync in the custom UserServiceBase, but the above just worked so I did not want to bother.

The general problem is not how to set claims, it is where you populate them. You have to override something somewhere.

This here worked for me since I needed data from a database, someone else should populate claims elsewhere. But they are not going to magically appear just because you nicely set Scopes and Claims Identity Server configurations.

Most of the answers say not a word about where to set the claim values properly. In each particular override you have done, the passed parameters, when they have claims, in the function are attached to identity or access token.

Just take care of that and all will be fine.

Nick answered 18/8, 2016 at 14:26 Comment(0)

Recommended topics

Hot tags