Identityserver4: User.Claims and claims retrieved from access_token are different
Hi Everyone,
I am following this documentation
http://docs.identityserver.io/en/release/quickstarts/3_interactive_login.html
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResource
{
Name = "role",
UserClaims = new List<string> { "role"}
}
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1", "My API")
{
UserClaims = {"role"}
}
};
}
public static List<TestUser> GetUsers()
{
return new List<TestUser>
{
new TestUser
{
SubjectId = "1",
Username = "alice",
Password = "password",
Claims = new List<Claim>
{
new Claim("name", "Alice"),
new Claim("role", "admin"),
new Claim("email", "[email protected]"),
new Claim("website", "https://alice.com")
}
}
};
}
After login successfully at identity server. I will be redirected to MVC client and I can see roles from User.Claims but I dont have my "role" "admin".
@foreach (var claim in User.Claims)
{
<dt>@claim.Type</dt>
<dd>@claim.Value</dd>
}
But I try to make a "Call API using user token" by using the code below, I can see "role" "admin" in token
var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");
Why there is a difference here?
How can I retrieved "role" "admin" from User.Claims instead?
Thank you very much
sonphnt
All 4 comments
In that particular quickstart, I believe the AllowedScopes in the mvc Client are IdentityServerConstants.StandardScopes.OpenId and IdentityServerConstants.StandardScopes.Profile. Neither of these include the "role" claim, so you need to add a scope that includes that. First, add an Identity Resource for it. In your GetIdentityResources() function, (or in your database of identity resources), try adding
new IdentityResource
{
Name = "role",
DisplayName = "Role",
UserClaims = new List<string> {"role" }
}
Now add "role" to your mvc clients AllowedScopes list, and make sure to edit your actual web clients startup.cs to add "role" to the Scope parameter in your OpenIdConnectOptions.
tsunnyday
on 7 Apr 2017
You have two different audiences: the client and the API. That's why the protocol has two different tokens: the id_token and the access_token. They might have have different claims because the two different audiences might care about different things. This is why in our config we have two different resources: identity resources and API resources. Each allows you to configure different claim types that you want in the respective tokens.
brockallen
on 9 Apr 2017
@tsunnyday @brockallen Thanks for the helps. It worked now.
sonphnt
on 10 Apr 2017
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 14 Jan 2020
Related issues
ekarlso
路
3Comments
cixonline
路
3Comments
eshorgan
路
3Comments
leksim
路
3Comments
createroftheearth
路
3Comments
Most helpful comment
You have two different audiences: the client and the API. That's why the protocol has two different tokens: the id_token and the access_token. They might have have different claims because the two different audiences might care about different things. This is why in our config we have two different resources: identity resources and API resources. Each allows you to configure different claim types that you want in the respective tokens.