With IdentityServer 4 v4.0 and Asp.Net Core Identity 3.1 I get the claims after login:
sub: 1
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin
preferred_username: john@domain.com
name: john@domain.com
email: john@domain.com
email_verified: true
amr: pwd
idp: local
auth_time: 1592937212
But in OIDC Client JS which I used to login I get:
sub: "1"
preferred_username: "john@domain.com"
name: "john@domain.com"
email: "john@domain.com"
email_verified: true
amr: ["pwd"] (1)
idp: "local"
auth_time: 1592937212
Questions
name claim is the email and not the user name?On the OIDC Client the settings are:
const settings : UserManagerSettings = {
automaticSilentRenew: true,
authority: this.environment.authAuthorityUrl,
client_id: 'spa',
filterProtocolClaims: true,
loadUserInfo: true,
post_logout_redirect_uri: this.environment.authPostLogoutRedirectUrl,
redirect_uri: this.environment.authRedirectUrl,
response_mode: 'query',
response_type: 'code',
scope: 'openid profile email offline_access api',
silent_redirect_uri: this.environment.authSilentRedirectUrl
};
On the ASP.NET Core 3.1 Startup I have:
services
.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(IdentityConfiguration.GetIdentityResources())
.AddInMemoryApiResources(IdentityConfiguration.GetApiResources())
.AddInMemoryApiScopes(IdentityConfiguration.GetApiScopes())
.AddInMemoryClients(IdentityConfiguration.GetClients())
.AddAspNetIdentity<User>();
And the IdentityConfiguration class is:
public class IdentityConfiguration {
public static List<ApiResource> GetApiResources() {
return new List<ApiResource> {
new ApiResource("api", "API Resource")
};
}
public static List<ApiScope> GetApiScopes() {
return new List<ApiScope> {
new ApiScope("api", "api")
};
}
public static List<IdentityResource> GetIdentityResources() {
return new List<IdentityResource> {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email()
};
}
public static List<Client> GetClients(IConfiguration configuration) {
Settings settings = configuration.Get<Settings>();
return new List<Client> {
new Client {
ClientId = "spa",
ClientName = "SPA Client",
AllowAccessTokensViaBrowser = true,
AllowedGrantTypes = GrantTypes.Code,
AllowOfflineAccess = true,
RequireClientSecret = false,
RequireConsent = false,
RequirePkce = true,
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = 3600,
IdentityTokenLifetime = 360,
RefreshTokenUsage = TokenUsage.ReUse,
AlwaysSendClientClaims = true,
UpdateAccessTokenClaimsOnRefresh = true,
AlwaysIncludeUserClaimsInIdToken = true,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.OfflineAccess,
"api"
},
AllowedCorsOrigins = settings.Path.AllowedCorsOrigins,
PostLogoutRedirectUris = settings.Path.PostLogoutRedirectUris,
RedirectUris = settings.Path.RedirectUris
}
};
}
}
Update 1
I created the user using UserManager as follows:
var user = new User {
// User properties
}
var claims = new List<Claim> {
new Claim(ClaimTypes.Role, "Admin")
}
await userManager.CreateAsync(user, password);
foreach (var claim in claims)
await userManager.AddClaimAsync(user, claim);
I checked the database and the User is created and the Claim saved in UserClaims table.
Update 2
To include User's FullName I implemented IdentityService's IProfileService:
public class ProfileService : IProfileService {
protected UserManager<User> _userManager;
public ProfileService(UserManager<User> userManager) {
_userManager = userManager;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context) {
User user = await _userManager.GetUserAsync(context.Subject);
List<Claim> claims = new List<Claim> {
new Claim(JwtClaimTypes.Name, user.Name),
};
context.IssuedClaims.AddRange(claims);
}
public async Task IsActiveAsync(IsActiveContext context) {
User user = await _userManager.GetUserAsync(context.Subject);
context.IsActive = (user != null) && user.IsActive;
}
}
This also does something strange. The server Claims are the same:
sub: 1
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin
preferred_username: john@domain.com
name: john@domain.com
email: john@domain.com
email_verified: true
amr: pwd
idp: local
auth_time: 1592937212
And the Client claims become:
sub: 1
name: John Smith
amr: pwd
idp: local
auth_time: 1592937212
So the Server Claims don't get the Name changed and the Client Claims loose all the emails and preferred_username but get the correct Name.
The Role keeps showing on Server but not on Client.
ClaimTypes.Role by JwtClaimTypes.Role.Edit:
In your ProfileService constructor inject IUserClaimsPrincipalFactory and apply the following changes to your GetProfileDataAsync() function:
private readonly IUserClaimsPrincipalFactory<User> _claimsFactory;
private readonly UserManager<User> _userManager;
public ProfileService(UserManager<User> userManager, IUserClaimsPrincipalFactory<IdentityUser> claimsFactory)
{
_userManager = userManager;
_claimsFactory = claimsFactory;
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var claims = principal.Claims.ToList();
context.IssuedClaims = claims;
}