0

I'm using Identity Server 4 and Implicit grant type. I have a SPA which makes authorization request to IS4 with response_type: 'id_token token'.

I have a simple implementation of IProfileService with GetProfileDataAsync method:

public virtual Task GetProfileDataAsync(ProfileDataRequestContext context) { context.AddRequestedClaims(context.Subject.Claims); context.IssuedClaims.Add(new Claim("custom1", "custom1")); context.IssuedClaims.Add(new Claim("custom2", "custom2")); return Task.CompletedTask; }

And it works OK; I receive an access_token and an id_token. But they both contain my custom claims.

How can I include in access_token only "custom1" claim, but in id_token both "custom1" and "custom2" claims?

Improve this question

2 Answers 2

Reset to default
2

The Profile Service is called multiple times with a different context:

  • For the access token: Context.Caller = ClaimsProviderAccessToken
  • For the identity token: Context.Caller = UserInfoEndpoint

For context specific claims you should check the context caller:

public async Task GetProfileDataAsync(ProfileDataRequestContext context) { context.AddRequestedClaims(context.Subject.Claims); context.IssuedClaims.Add(new Claim("custom1", "custom1")); // Add access token claims if (Context.Caller == "ClaimsProviderAccessToken") { } // Add identity token claims if (Context.Caller == "UserInfoEndpoint") { context.IssuedClaims.Add(new Claim("custom2", "custom2")); } return Task.CompletedTask; }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Ok, thanks to Ruard van Elburg, I was able to do it. Correct answer is:

  • For the access token: Context.Caller = ClaimsProviderAccessToken
  • For the identity token: Context.Caller = ClaimsProviderIdentityToken
  • For userinfo endpoint: Context.Caller = UserInfoEndpoint

And code:

public Task GetProfileDataAsync(ProfileDataRequestContext context) { context.AddRequestedClaims(context.Subject.Claims); // Add claims to access token if (context.Caller == "ClaimsProviderAccessToken") { context.IssuedClaims.Add(new Claim("custom1", "custom1")); } // Add identity token claims if (context.Caller == "ClaimsProviderIdentityToken") { context.IssuedClaims.Add(new Claim("custom1", "custom1")); context.IssuedClaims.Add(new Claim("custom2", "custom2")); } // Add userinfo endpoint claims if (context.Caller == "UserInfoEndpoint") { context.IssuedClaims.Add(new Claim("custom1", "custom1")); context.IssuedClaims.Add(new Claim("custom2", "custom2")); } return Task.CompletedTask; }
Improve this answer

1 Comment

in my case, caller is always ClaimsProviderAccessToken and i am using code flow +pkce using client angular spa app. any suggestion

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.