How to add custom claims to access token in IdentityServer4? [closed]

Asked 26/6, 2017 at 13:36 Answered 5/7, 2017 at 17:45

Solved c#asp.net-core oauth-2.0 openid identityserver4

I want to add other custom claims to access token but I'm unable to do this. I have modified Quickstart5 and added ASP.NET Identity Core and the custom claims via ProfileService as suggested by Coemgen below.

You can download my code here: [zip package][3]. (It is based on: Quickstart5 with ASP.NET Identity Core and added claims via ProfileService).

Issue: GetProfileDataAsync does not execute.

Cigarillo answered 26/6, 2017 at 13:36 Comment(1)

I'm rather perplexed by this question, 001. You're clearly a very experienced user of Stack Overflow, but you've put your code in a file locker rather than in the question, and thus it is - as you must know - off topic. Are you able to repair the question, so it is not put on hold? – Elin 20/9, 2017 at 20:11

128

You should implement your own ProfileService. Have a look in this post which I followed when I implemented the same thing:

https://damienbod.com/2016/11/18/extending-identity-in-identityserver4-to-manage-users-in-asp-net-core/

Here is an example of my own implementation:

public class ProfileService : IProfileService
{
    protected UserManager<ApplicationUser> _userManager;

    public ProfileService(UserManager<ApplicationUser> userManager)
    {
        _userManager = userManager;
    }

    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        //>Processing
        var user = await _userManager.GetUserAsync(context.Subject);

        var claims = new List<Claim>
        {
            new Claim("FullName", user.FullName),
        };

        context.IssuedClaims.AddRange(claims);
    }

    public async Task IsActiveAsync(IsActiveContext context)
    {
        //>Processing
        var user = await _userManager.GetUserAsync(context.Subject);
        
        context.IsActive = (user != null) && user.IsActive;
    }
}

Don't forget to configure the service in your Startup.cs (via this answer)

services.AddIdentityServer()
    .AddProfileService<ProfileService>();

Intercessor answered 28/6, 2017 at 6:58 Comment(17)

thanks for that, however, it still does not work! no claims are added! – Cigarillo 28/6, 2017 at 9:4

Are you target the GetProfileDataAsync function in debug mode ? – Intercessor 28/6, 2017 at 9:10

I am viewing the claims on the "secure" page here github.com/IdentityServer/IdentityServer4.Samples/blob/release/… – Cigarillo 28/6, 2017 at 10:13

What happens when you target your API ? What are the claims ? – Intercessor 28/6, 2017 at 10:14

All claims passed on the secure page is the same claims passed by the api. And they do not include the claims i added above via "ProfileService" – Cigarillo 28/6, 2017 at 10:19

Okay, but if you add a break point, did you target GetProfileDataAsync ? – Intercessor 28/6, 2017 at 10:20

Let us continue this discussion in chat. – Intercessor 28/6, 2017 at 10:24

On startup, it executes this " services.AddTransient<IProfileService, ProfileService>(); //AddClaims" but it break point, does not execute GetProfileDataAsync method – Cigarillo 28/6, 2017 at 10:28

Let us continue this discussion in chat. – Cigarillo 29/6, 2017 at 9:53

If that does not work you may try to delete cookies for that site or at least to log out from your application and IdentityServer – Hydrolyse 28/1, 2020 at 14:32

See the answer of 001 below to have something that works ;-) – Tirpitz 11/8, 2020 at 20:4

I had a problem where it wasn't being added to the ServicesCollection. I had to move the services.AddTransient above the AddIdentityServer. – Alvardo 3/5, 2021 at 1:11

if you are calling _userManager.GetUserAsync in Login method to raise UserLoginSuccessEvent then _userManager.GetUserAsync will called twice? hitting DB twice? – Rudolph 10/9, 2021 at 3:56

This doesn't work for client_credentials – Glance 12/4, 2022 at 8:21

it is beyond me how information like this dont exist in the acutal documentation. thanks! – Emylee 27/10, 2023 at 10:40

adding claims directly to IssuedClaims is not recommended. the recommended way is to use method context.AddRequestedClaims link to add only requested claims. and define UserClaims in ApiScope link to make those claims represent in requested claims. – Acknowledge 31/10, 2023 at 20:27

I had to add AddProfileService<ProfileService>() after .AddAspNetIdentity<ApplicationUser>() to make it work – Mamoun 6/12, 2023 at 17:27

Ok the issue here is this:

although you have configured your available Identity resources correctly (both standard & custom), you also need to explicitly define which ones are a necessity when calling your api resource. In order to define this you must go to your Config.cs class on ExampleIdentityServer project and provide a third argument like on the new ApiResouirce constructor. Only those will be included into the access_token

// scopes define the API resources in your system
public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("api1", "My API", new[] { JwtClaimTypes.Subject, JwtClaimTypes.Email, JwtClaimTypes.Phone, etc... })
    };
}

In essence this means that I got my identity claims configured for my organization but there may be more than one APIs involved and not all of the APIs make use of all available profile claims. This also means that these will be present inside your ClaimsPrincipal all the rest can still be accessed through the "userinfo" endpoint as a normal http call.

NOTE: regarding refresh tokens:

If you chose to enable refresh tokens via AllowOfflineAccess = true, you may experience the same behavior upon refreshing the access_token "GetProfileDataAsync does not execute!". So the claims inside the access_token stay the same although you get a new access_token with updated lifetime. If that is the case you can force them to always refresh from the Profile service by setting UpdateAccessTokenClaimsOnRefresh=true on the client configuration.

Commissar answered 5/7, 2017 at 17:45 Comment(0)

Issue found.

In startup.cs, instead of adding services.AddTransient<IProfileService, ProfileService>();, add .AddProfileService<ProfileService>() to services.AddIdentityServer().

You will end up with

services.AddIdentityServer()
    .AddTemporarySigningCredential()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddAspNetIdentity<ApplicationUser>()
    .AddProfileService<ProfileService>();

Thanks for Coemgen for helping out! Nothing wrong with the code, just the startup was wrong.

Cigarillo answered 29/6, 2017 at 10:11 Comment(7)

That's interresting. You also should be able to use services.AddTransient<IProfileService, ProfileService>(); . – Intercessor 29/6, 2017 at 10:14

There is a great example on the Microsoft Architecture GitHub repository : github.com/dotnet-architecture/eShopOnContainers/blob/master/… – Ocean 29/6, 2017 at 10:14

@Coemgen you can do that too! but you must add " services.AddTransient<IProfileService, ProfileService>();" after "services.AddIdentityServer()" :) – Cigarillo 29/6, 2017 at 10:20

You can simply do this services.AddTransient<IdentityServer4.Services.IProfileService, CustomUserProfileService>(); and that will work – Ironbark 22/9, 2017 at 10:13

I believe that if you want to stick with services.AddTransient<IProfileService, ProfileService>(); you should do that after adding identityserver to services so your registration will override that one made by IS – Uranie 10/2, 2018 at 11:3

This works perfectly! Thank you. – Leeann 4/5, 2020 at 18:42

for anyone reading, order matters and the profileService should be registered last. – Arleta 24/4, 2022 at 4:4

You can include any claim by using UserClaims option in your GetIdentityResources() in the config class :

UserClaims: List of associated user claim types that should be included in the identity token. (As per the official documentation) http://docs.identityserver.io/en/release/reference/identity_resource.html#refidentityresource

Hodess answered 27/6, 2017 at 18:54 Comment(2)

I tried that, it doesnt work! – Cigarillo 28/6, 2017 at 2:50

I followed this, it does not work! docs.identityserver.io/en/release/topics/… – Cigarillo 28/6, 2017 at 2:51

Ok the issue here is this:

NOTE: regarding refresh tokens:

Recommended topics

Hot tags