How do I get the claims from an openid access token in asp.net core?

Asked 28/8, 2017 at 21:0 Answered 2/8, 2018 at 13:16

My application authenticates using OpenId like this:

services.AddAuthentication(o =>
{
    o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o =>
{
    o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.Scope.Add("openid");
    o.Scope.Add("permissions");
    o.Authority = "https://localhost:44305";
    o.ClientId = "MyTestClient";
    o.ClientSecret = "MyTestClientSecret";
    o.ResponseType = OpenIdConnectResponseType.IdTokenToken;
});

When I check the User object after authenticating, it only has claims from the ID token, not the access token. How do I get the claims from the access token?

Decillion answered 28/8, 2017 at 21:0 Comment(3)

I have exactly the same issue, did you ever find a solution? Thanks – Killebrew 22/2, 2018 at 10:48

@MatthewChristianson nope :( – Decillion 22/2, 2018 at 13:51

I've added an answer that worked for me. I could never get an access_token from OpenId – Killebrew 22/2, 2018 at 14:53

You can use the OnTokenResponseReceived event from OpenIdConnectOptions.Events

services.AddAuthentication(o =>
{
    o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(o =>
{
    o.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    o.Scope.Add("openid");
    o.Scope.Add("permissions");
    o.Authority = "https://localhost:44305";
    o.ClientId = "MyTestClient";
    o.ClientSecret = "MyTestClientSecret";
    o.ResponseType = OpenIdConnectResponseType.IdTokenToken;
    o.Events = new OpenIdConnectEvents
    {

        OnTokenResponseReceived = ctx =>
        {
            var handler = new JwtSecurityTokenHandler();
            var jsonToken = handler.ReadJwtToken(ctx.TokenEndpointResponse.AccessToken);

            //jsonToken.Claims <--here you go, update the ctx.Principal if necessary.


            return Task.CompletedTask;
        }
    };

});

Scarlet answered 2/8, 2018 at 13:16 Comment(1)

I note that this only works if the OIDC server is returning JWT access_tokens. OIDC does not require JWT to be used as they could also be "reference" (or "opaque") tokens which cannot be parsed to get Claims. So YMMV. – Mesial 8/5, 2019 at 18:41

I believe you need to intercept the OnAuthorizationCodeReceived event from AddOpenIdConnect(). From there you should have access to ctx.ProtocolMessage.Code which is the AuthorizationCode used with AcquireTokenByAuthorizationCodeAsync() to generate further tokens. You also need to set ResponseType to "code id_token" in order that a code is also generated for you. A good tutorial for this is https://joonasw.net/view/aspnet-core-2-azure-ad-authenticatio. Hope this helps

Killebrew answered 22/2, 2018 at 10:48 Comment(0)

Recommended topics

Hot tags