Identityserver4: Claims is not present with a custom extension grant

Created on 21 Dec 2016 · 6Comments · Source: IdentityServer/IdentityServer4

First of all, congratulations on the OpenId certification!

I have a LicenseExtensionGrant which I use to provide a token for a license key and I am trying to do this:

public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
   var result = /* code removed from brevity */;
   var claims = new List<Claim>
   {
        new Claim("cid", result.CustomerId.ToString())
   }

   context.Result = new GrantValidationResult(result.Uuid.ToString(), "license", claims);
}

But my access_token does not contain the cid entry, when I decode it. The sub part is there:

{
  "nbf": 1482327569,
  "exp": 1482331169,
  "iss": "http://localhost:5000",
  "aud": [
    "http://localhost:5000/resources",
    "calendar_api",
  ],
  "client_id": "todayplus",
  "sub": "a0f8cf55-4683-4941-89g0-09f82f7b5016",
  "auth_time": 1482327569,
  "idp": "local",
  "scope": [
    "openid",
    "calendar_api",
  ],
  "amr": [
    "license"
  ]
}

Am I missing something or how is the additional claims applied?

I am running Identity Server 4 RC5.

Source

janhartmann

Most helpful comment

Why is this so difficult to do? I don't want to implement a full Profile Service just for an extra claim in the jwt!

javieracrich on 12 Oct 2017

👍2

All 6 comments

returning the claim from the validator is not enough - you need to also put it into the outgoing token. This needs to be implemented in the profile service.

leastprivilege on 21 Dec 2016

Okay, I've hooked up a profile service. But on the /connect/token call, the profile service is not hit for creating the access_token, but if I access /connect/userinfo with the token, the profile service is hit. Is this by design? :-)

janhartmann on 22 Dec 2016

I have the same problem. How to add custom claims to token on "/connect/token" call?