openid-connectasp.net-core-6.0claims

Populate ClaimsPrincpal with access token claims/attributes using Microsoft.AspNetCore.Authentication.OpenIdConnect


I have setup a simple ASP.NET Core 6 website where I'm using Microsoft.AspNetCore.Authentication.OpenIdConnect for connecting to a keycloak provider using auth code flow.

It all works fine.. but..

I have noticed that the final ClaimsPrincipal only gets populated with claims from the id_token, and none from the provided access_token. This basically forces me to send the custom claims / attributes both in the access_token and in the id_token.

Is there anyway to also append the claims from the access_token?


Solution

  • The client (AddOpenIDConnect) should not need to care about what is found inside the access token. So, yes, the easiest is to add the claims (in both tokens). But usually you need different claims in each one, as the ones in the access tokens is only needed for authorization.

    However, there is one further option and that is to hook into the events inside AddOpenIDConnect and create a new ClaimsPrincipal object based on the two tokens. see https://github.com/AzureAD/microsoft-identity-web/issues/1525

    the third option is to look into something called Claims transformations. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims?view=aspnetcore-7.0