How can we pass additional data to Client application from Identity Server 4 in response after successful authentication?
We are using Identity Server 4 as an Auth server for our application to have user authentication and SSO feature. User information is stored and is getting authenticated by an external service. IDS calls the external service for user authentication. On successful authentication, the service returns the response back to IDS with 2 parameters:
IDS further generates Id token and returns response back to MVC client with standard user claims. I want to pass the additional user information(attributes) to client application to display it on page. We tried adding the attributes as claims collection through context.IssuedClaims option but still I am not getting those attributes added and accessible to User.Claims collection in MVC client app.
Can anyone suggest an alternative way by which we can pass those custom attributes to client app. either through claims or any other mode (httpcontext.Items collection etc)
Only some user claims provided by the IDS will be passed into the User.claims collection. You need to explicitly map those additional claims in the client application, using code like:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
Do look what is actually passed in the ID-token and what is available from the /UserInfo endpoint. Most of the times the claims will be there.
You can google for Claims Transformation for more details. You can also take a look at this article.
To stop it from including the claims in the ID-token you can set the AlwaysIncludeUserClaimsInIdToken property to false in the client definition and set:
options.GetClaimsFromUserInfoEndpoint = true
in the client (AddOpenIdConnect).
To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core