jwtidentityserver4rolesclaimsduende-identity-server

Claims for a role assigned to user not present in the produced JWT


I have a role admin assigned to a user. On that role, there's a claim elevated. When I sign in using authorization code flow and get the token, the sub field is correctly set. However, there's no sight of the role nor the claim for it.

I checked the AspNetUserRoles against the IDs for the user and the role. Those were set up correctly. What more can be the cause of this?

The claims for the client are present in the JWT too but nothing related to the user that just logged in.

Do I have to implement profile service and amend those manually? I expected the roles that the user is in to be added automatically, along with whatever claims that are reöated to them.


Solution

  • First, you must investigate whether the claim is present in the ID token or from the UserInfo endpoint. you need to do this to isolate if it is an IdentityServer or client application issue.

    In the client, you have things like claims transformation and claims mapping that you might need to set depending on what your actual need are.

    For example, on AddOpenIDConnect, there is an option named options.MapInboundClaims that you can set to false.

    You might also need to point out the name of the role and name claim as well using:

    options.TokenValidationParameters = new TokenValidationParameters
    {
        NameClaimType = JwtClaimTypes.Name,
        RoleClaimType = JwtClaimTypes.Role
    };
    

    To add custom claims to the IdentityResource, then here is an example:

    var employeeInfoScope = new IdentityResource()
    {
        Name = "employee_info",
        DisplayName = "Employee information",
        Description = "Employee information including seniority and status...",
        Emphasize = true,
        Enabled = true,
        Required = true,
        ShowInDiscoveryDocument = true,
        UserClaims = new List<string>
        {
            "employment_start",
            "seniority",
            "contractor",
            "employee",
            "management",
            JwtClaimTypes.Role
        }
    };
    

    To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core

    Also, important:

    The claims that go into the access token need to be separately mapped using the ApiScope and ApiResources. The IdentityResource only includes the claims in the ID-token.

    For the ID-token, the client might also get the claims through the UserInfo endpoint. You can also call the Token Introspection endpoint using your access token to see what it knows about the user.