Login/Register
oidc-client-js is not getting claims correctly from Identity Server 4
Asked Answered
Solved javascriptasp.netidentityserver4openid-connectoidc-client-js
B

1

6

I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:

signin(e) {
    e.preventDefault();
    this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
        console.log("signed in", user.profile);
    }).catch(function(err) {
        console.log(err);
    });
}

Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:

enter image description here

The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:

enter image description here

So how can I get hold of these claims in my Javascript code?

Bonniebonns answered 12/3, 2018 at 8:49 Comment(4)
Could you use userinfo endpoint which should be standard openId Connect implementation. That api should return you all the response required?Gambit
@Gambit My assumption is that the openid-connect-js library already does this since the IS4 docs suggest it should populate user.profile with requested claims.Bonniebonns
Did you set scopes inside your JSapp and in the database [ClientScopes] ? Your app need to request them so they will be on the response.Medial
@getsetcode Sorry to ask here, but, how are you getting those user claims (name, email, etc) in the external API project? When I access this.User.Claims in an ApiController I don't see those user claims, just the "basic" client ones.Hereto
M
8

Those user claims are likely coming inside the ID Token. To make this work, check if you've got AlwaysIncludeUserClaimsInIdToken = true in your IDP Provider's Client configuration, like

        public static IEnumerable<Client> GetClients()
    {
        return new List<Client>()
        {
            new Client()
            {
                ClientName = "IDP Client",
                ClientId = "client",
                ClientSecrets = { new Secret("secret".Sha256()) },
                AllowedGrantTypes =  GrantTypes.Hybrid,
                RedirectUris = new List<string>()
                {
                    "http://localhost:60811/signin-oidc"
                },
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "myapi"
                },
                AlwaysIncludeUserClaimsInIdToken = true,
                AllowOfflineAccess = true
            },
Milanmilanese answered 13/3, 2018 at 0:50 Comment(1)
You're absolutely right. I'd not been made aware of that property before. Thank you. From the docs: "AlwaysIncludeUserClaimsInIdToken - When requesting both an id token and access token, should the user claims always be added to the id token instead of requring the client to use the userinfo endpoint. Default is false." (ref. docs.identityserver.io/en/release/reference/…)Bonniebonns

© 2022 - 2024 — McMap. All rights reserved.