Identityserver4: What are ApiResource.UserClaims and ApiResource.Scopes.UserClaims used for?

Created on 7 Feb 2017  路  10Comments  路  Source: IdentityServer/IdentityServer4

What are ApiResource.UserClaims and ApiResource.Scopes.UserClaims used for? I'm using IdentityResource.UserClaims to identify each users claims (like users email etc.) but I couldn't figure out what this two are used for.

question
Source
picture deastr

Most helpful comment

@leastprivilege: I've red the docs but since they both describe as "List of associated user claim types that should be included in the access token" I couldn't make any distinction. Sorry, I'm a newbie when it comes to claims/identity-based authorization and I'd appreciate if I could get any clarification on any scenarios for their use.

As for example, this is my claims list without using ApiResource.UserClaims and ApiResource.Scopes.UserClaims:

{ Type = nbf, Value = 1486538058 }
{ Type = exp, Value = 1486538358 }
{ Type = iss, Value = http://localhost:34240 }
{ Type = aud, Value = client.mvc }
{ Type = nonce, Value = 636221348354970860.ZDI5MjI2M2YtOGE5Yi00MDBjLTk1ZGEtZGJmZGFiYjJjNjY2OWE1NTZiOTQtMTdiNC00NzdlLWE2NWItODIxMzQ3NDQ0ZWI3 }
{ Type = iat, Value = 1486538044 }
{ Type = c_hash, Value = sNDoLgy26u-I_npEcFKeRw }
{ Type = sid, Value = d201b483be971276c92dfd91593843d8 }
{ Type = sub, Value = 8da49efb-a1aa-4253-bb7f-56cc6c532b78 }
{ Type = auth_time, Value = 1486538044 }
{ Type = idp, Value = local }
{ Type = test, Value = test1 } //added manually in my IProfileService implementation
{ Type = amr, Value = pwd }

Neither this list of claims norcontext.RequestedClaims list changes when I add both UserClaims:

_apiResources = new List<ApiResource>
            {
                new ApiResource
                {
                    Name = "my_api",
                    Scopes =
                    {
                        new Scope()
                        {
                            Name = "my_api_scope",
                            UserClaims = new[] { "my_api_scope_claim" }
                        }
                    }
                    , UserClaims = new[] { "my_api_claim" }
                }
            };

Only difference I could see is that "my_api_claim" is added to the claims_supported list in the discovery document.

Am I supposed to add both claims to the context.IssuedClaims list in the IProfileServiceimplementation?

picture deastr on 8 Feb 2017
👍2

All 10 comments

is this not clear enough?

https://identityserver4.readthedocs.io/en/release/reference/api_resource.html

leastprivilege picture leastprivilege on 7 Feb 2017
👍1

@leastprivilege: I've red the docs but since they both describe as "List of associated user claim types that should be included in the access token" I couldn't make any distinction. Sorry, I'm a newbie when it comes to claims/identity-based authorization and I'd appreciate if I could get any clarification on any scenarios for their use.

As for example, this is my claims list without using ApiResource.UserClaims and ApiResource.Scopes.UserClaims:

{ Type = nbf, Value = 1486538058 }
{ Type = exp, Value = 1486538358 }
{ Type = iss, Value = http://localhost:34240 }
{ Type = aud, Value = client.mvc }
{ Type = nonce, Value = 636221348354970860.ZDI5MjI2M2YtOGE5Yi00MDBjLTk1ZGEtZGJmZGFiYjJjNjY2OWE1NTZiOTQtMTdiNC00NzdlLWE2NWItODIxMzQ3NDQ0ZWI3 }
{ Type = iat, Value = 1486538044 }
{ Type = c_hash, Value = sNDoLgy26u-I_npEcFKeRw }
{ Type = sid, Value = d201b483be971276c92dfd91593843d8 }
{ Type = sub, Value = 8da49efb-a1aa-4253-bb7f-56cc6c532b78 }
{ Type = auth_time, Value = 1486538044 }
{ Type = idp, Value = local }
{ Type = test, Value = test1 } //added manually in my IProfileService implementation
{ Type = amr, Value = pwd }

Neither this list of claims norcontext.RequestedClaims list changes when I add both UserClaims:

_apiResources = new List<ApiResource>
            {
                new ApiResource
                {
                    Name = "my_api",
                    Scopes =
                    {
                        new Scope()
                        {
                            Name = "my_api_scope",
                            UserClaims = new[] { "my_api_scope_claim" }
                        }
                    }
                    , UserClaims = new[] { "my_api_claim" }
                }
            };

Only difference I could see is that "my_api_claim" is added to the claims_supported list in the discovery document.

Am I supposed to add both claims to the context.IssuedClaims list in the IProfileServiceimplementation?

deastr picture deastr on 8 Feb 2017
👍2

The description under scopes add

The claims specified here will be added to the list of claims specified for the API.

..and yes . this config only assembles the list of requested claim types that is passed to the profile service. It is then up to the profile service to return the actual claims.

leastprivilege picture leastprivilege on 8 Feb 2017

I get it now, thank you.

deastr picture deastr on 8 Feb 2017

Client -> AlwaysIncludeUserClaimsInIdToken = true did the trick to me.

EYScudeler picture EYScudeler on 21 Apr 2018

is this not clear enough?

https://identityserver4.readthedocs.io/en/release/reference/api_resource.html

This link is broken and i'm dying to know the answer (Because i can't understand Dominick Baier's final answer).

Rzassar picture Rzassar on 6 Jul 2019

@rzassar

There is an old version over here https://web.archive.org/web/20180611190248/http://identityserver4.readthedocs.io/en/release/reference/api_resource.html

Which I suppose is comparable to this newer version: http://docs.identityserver.io/en/latest/reference/api_resource.html

LarsPedersen picture LarsPedersen on 6 Jul 2019

For people still looking for this, this claims are sent in context.RequestedClaims in your IProfileServiceimplementation where the caller is "ClaimsProviderAccessToken". For example:

sample Api resource:

new ApiResource
{
    Name = "My Api",
    Scopes = new Scope[] { new Scope("MyApiScope", new string[] { IdentityModel.JwtClaimTypes.Name }) },
    UserClaims = new string [] { IdentityModel.JwtClaimTypes.MiddleName } //I think this gets included in every api resource regardless of scope but haven't tried
},

ProfileService / GetProfileDataAsync(ProfileDataRequestContext context) debug:

context:
{IdentityServer4.Models.ProfileDataRequestContext}
    Caller: "ClaimsProviderAccessToken"
    Client: {IdentityServer4.Models.Client}
    IssuedClaims: Count = 0
    RequestedClaimTypes: {System.Linq.Enumerable.DistinctIterator<string>}
    Subject: {System.Security.Claims.ClaimsPrincipal}

context.RequestedClaimTypes:
{string[2]}
    [0]: "middle_name"
    [1]: "name"
deastr picture deastr on 7 Oct 2019
👍1

There is an old version over here https://web.archive.org/web/20180611190248/http://identityserver4.readthedocs.io/en/release/reference/api_resource.html

Which I suppose is comparable to this newer version: http://docs.identityserver.io/en/latest/reference/api_resource.html

The target url for your second link is referring to this very issue page!! :-) people need to copy/paste url manually in the browser...

so here is the corrected link:
http://docs.identityserver.io/en/latest/reference/api_resource.html

hatami57 picture hatami57 on 30 Oct 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 10 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nukec picture nukec  路  3Comments
not-good-with-usernames picture not-good-with-usernames  路  3Comments
leksim picture leksim  路  3Comments
ekarlso picture ekarlso  路  3Comments
wangkanai picture wangkanai  路  3Comments