Identityserver4: what is the benefit of adding UserClaims 'role' to IdentityResource

Created on 8 Nov 2017  路  9Comments  路  Source: IdentityServer/IdentityServer4

Hello,

why we add , or what the benefit of adding UserClaims 'role' to IdentityResource

new IdentityResource { Name = "role", UserClaims = new List<string> {"role"} }

it's not add the roles to the token

i can only add the roles to token by adding UserClaims 'role' to ApiResource

when i remove UserClaims 'role' from IdentityResource my project also work fine.

question
Source
picture BahgatMashaly

Most helpful comment

IdentityResource controls what goes in the id token to the client. ApiResource controls what goes into the access token for the API.

picture brockallen on 9 Nov 2017
👍3

All 9 comments

IdentityResource controls what goes in the id token to the client. ApiResource controls what goes into the access token for the API.

brockallen picture brockallen on 9 Nov 2017
👍3

thanks dear @brockallen , but i think this is different from the documents, or i'm not understanding something .

the documentation:
"Identity resources are data like user ID, name, or email address of a user. An identity resource has a unique name, and you can assign arbitrary claim types to it. # These claims will then be included in the identity token for the user. The client will use the scope parameter to request access to an identity resource."

also if i add custom claims to IdentityResource it will inject it into user token ,
but when add 'role' claim to IdentityResource it will NOT inject it to user token
, only if i add 'role' claim to ApiResource then it will be inject role to user token

Example:
if i have 'administrator' and 'user' roles in the database , i must add these roles to ApiResource not IdentityResource to inject it to user token to be like this:

{
"nbf": 1510214356,
"exp": 1510215256,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"WebAPI"
],
"client_id": "AngularSPA",
"sub": "33af17bf-eb84-4e27-a67e-defccef15874",
"auth_time": 1510214356,
"idp": "local",
"role": [
"administrator",
"user"
],
"my_claim_type": "my_claim_value",
"scope": [
"address",
"custom_profile_claim",
"myroles",
"openid",
"profile",
"roles",
"WebAPI.Write",
"offline_access"
],
"amr": [
"pwd"
]
}

BahgatMashaly picture BahgatMashaly on 9 Nov 2017

user token

What's a user token?

brockallen picture brockallen on 9 Nov 2017

the user token is the token that user gets after authentication succeeded
example:
{
"nbf": 1510214356,
"exp": 1510215256,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"WebAPI"
],
"client_id": "AngularSPA",
"sub": "33af17bf-eb84-4e27-a67e-defccef15874",
"auth_time": 1510214356,
"idp": "local",
"role": [
"administrator",
"user"
],
"my_claim_type": "my_claim_value",
"scope": [
"address",
"custom_profile_claim",
"myroles",
"openid",
"profile",
"roles",
"WebAPI.Write",
"offline_access"
],
"amr": [
"pwd"
]
}

BahgatMashaly picture BahgatMashaly on 10 Nov 2017

What you have shown above is an access token.

brockallen picture brockallen on 10 Nov 2017

@brockallen Are roles more appropriate in the ID token or Access token?

nicbavetta picture nicbavetta on 10 Nov 2017

Depends where you need them. Put them in the tokens where the identity info is needed, which might be both tokens.

brockallen picture brockallen on 10 Nov 2017
👍1

Any update on the issue? closing for now - feel free to re-open if it needs further discussion.

leastprivilege picture leastprivilege on 15 Nov 2017

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 14 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eshorgan picture eshorgan  路  3Comments
nukec picture nukec  路  3Comments
Aravind1729 picture Aravind1729  路  3Comments
leksim picture leksim  路  3Comments
chrisrestall picture chrisrestall  路  3Comments