Identityserver4: Adding Custom Claims to an ASPNET Core Identity Implementation

Created on 11 Dec 2016 · 15Comments · Source: IdentityServer/IdentityServer4

Does anyone have an example of how to generate custom claims in Identity Server 4?

Suppose I wanted to send down a "FullName" claim to clients for example.

I read http://docs.identityserver.io/en/release/configuration/resources.html?highlight=CustomProfile
but I cannot seem to find an associated implementation. It might be that since the recent changes, that there aren't any good google searches on it yet.

I'm on the latest version + netcoreapp 1.1

question

Source

dabasejumper

👍1

Most helpful comment

Dominick, I tried using the ProfileService to add a custom claim. It is not showing up in the Token. I used the ASP.NET Identity Quickstart as a launch point. I see the email and name profile claims, but I added a custom "fullname" that isn't getting populated. I added it to the IdentityResource. The profileservice is getting called and the roles from the DB are getting loaded. I just don't see my custome claim. Is there something else I need to do? Thanks(ASP.NET Core 2, IDS4)

furrybaer on 21 Apr 2018

👍2

All 15 comments

The claims that you associate with your identity resource will be requested in your profile service. That's where you should put your breakpoint.

leastprivilege on 11 Dec 2016

Thank you Dominick! I'm sorry I didn't state in my original post, that I'm trying to implement your ASPNET example. I'll update the title.

You're absolutely correct if I was using either the in-memory store, or custom store. For anyone else seeing this and example could be found at http://docs.identityserver.io/en/release/quickstarts/3_interactive_login.html?highlight=profile%20service

My predicament is that I already have a "Person" table associated with my AppUser table in MVC. I can use AppUserClaims, and they work as expected. I just would rather not duplicated data.

Are there any hooks or something that I can implement in IdendityServer 4 or something I can wire up in .NET Core Identity ad add ad-hoc claims without storing them in the ASPNET_Claims table?

dabasejumper on 12 Dec 2016

in the IProfileService

leastprivilege on 12 Dec 2016

Thank you for your help. I think I'm going in the right direction now.

I've been trying to do this pretty much all day. I authenticate correctly, but do not see any of these claims passed down to the client. Am I missing anything obvious?

I've been trying to follow an example at
https://damienbod.com/2016/10/01/identityserver4-webapi-and-angular2-in-a-single-asp-net-core-project/

I have an implemented IProfileService just setting a few test claims

public class MyProfileService : IProfileService
    {
        public Task GetProfileDataAsync(ProfileDataRequestContext context)
        {
            var claims = new List<Claim>();
            claims.Add(new Claim(JwtClaimTypes.WebSite, "https://leastprivilege.com"));
            claims.Add(new Claim("FullName", "Joe Tester"));
            claims.Add(new Claim("CustomClaim2", "SomeValue"));
            context.IssuedClaims = claims;
            return Task.FromResult(0);
        }
        public Task IsActiveAsync(IsActiveContext context)
        {
            context.IsActive = true;
            return Task.FromResult(0);
        }
    }

Then in Startup.cs I think I have implemented everything correctly

services.AddTransient<IProfileService, MyProfileService>();
services.AddIdentity<ApplicationUser, GuidRole>()
    .AddEntityFrameworkStores<ApplicationUserIdentityDbContext, Guid>()
    .AddDefaultTokenProviders()
    .AddIdentityServerUserClaimsPrincipalFactory()
    .Services.AddTransient<IProfileService, MyProfileService>();

dabasejumper on 13 Dec 2016

😕1

..and is your profile service being called?

leastprivilege on 13 Dec 2016

I thought it was being injected in Startup.cs when I added the Transient on the IdentityBuilder.

It's not though because it's not hitting a breakpoint in IProfileService above. I'll continue binging/googling and reading your documentation.

dabasejumper on 13 Dec 2016

I am having same problem. IsActiveAsync in ProfileService does get called. But, GetProfileDataAsync never gets called. I must not understand something correctly.

MattyBoy4444 on 15 Dec 2016

GetProfileDataAsync is only called if we put claims in a token. See here for more background:

https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/

leastprivilege on 15 Dec 2016

Ok. I switched to calling the userinfo endpoint using the UserInfoClient but I always get "forbidden". Any ideas??

MattyBoy4444 on 15 Dec 2016

Forget it. I figured it out. When requesting an Access Token (RequestResourceOwnerPasswordAsync), if you specify a particular claim then you only get access to THAT claim. If you don't specify a claim, then you get access to all the claims. At least that is what I have experienced.

MattyBoy4444 on 15 Dec 2016

Thanks Dominick. I think I'm going to just use the UserEndpoint to store current user information per client session. I'll figure out how to customize that next via your documentation.

I am looking forward to meeting your partner Brock at DEVIntersection in Orlando for a 2-day workshop on this.

dabasejumper on 15 Dec 2016

👍1

furrybaer on 21 Apr 2018

👍2

@furrybaer Have u got any resolution as I am having same issue.

hnviradiya on 29 May 2018

If you are simply logging in (direct on the identity site), my observation is that this method will not be called as there is no client making any claims. If you execute a resource-owner-present login . I.e. redirect out from an app and into the login page and that client requires profile scope. This method will be called. Which makes sense to me.