I have my ASP.NET Core web app using Identity 3 and OpenIddict setup and can authenticate from my relying party fine. However, claims do not get sent to the relying party ([AspNetUserClaims]), I do see roles though ([AspNetUserRoles]).
My Scope is "openid email name profile roles" and responseType is "token id_token", am I missing something to get claims back?
However, claims do not get sent to the relying party ([AspNetUserClaims])
For security reasons, we never return custom claims. You'll have to create your own manager for that. Take a look at https://github.com/openiddict/openiddict-core/issues/165 for more information.
Great, that was easy enough!
Does OpenIddict support any way of restricting scopes per relying party? eg I might want 1 to just authenticate and not be able to access profile data
You're now responsible of providing your own authorization/token endpoint, so you're now free to return the claims you want, without having to use or override the user manager.
Hi,
I've just got around to updating my code. Where do I add custom claims now that i'm not overriding the UserManager?
I'm guessing somewhere in the CreateTicketAsync method in AuthorizationController
I'm guessing somewhere in the CreateTicketAsync method in AuthorizationController
Yep!
Thought so :) I was expecting to use principal.Claims.Add to add my custom claim but it's not exposed. Do you have an example on how to it?
var identity = (ClaimsIdentity) principal.Identity;
identity.AddClaim(...);
Great, for completeness in case anyone else reads this...
`if (!string.IsNullOrEmpty(user.ContactId))
{
Claim claim = new Claim("ContactId", user.ContactId).SetDestinations(
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);
var identity = (ClaimsIdentity)principal.Identity;
identity.AddClaim(claim);
}
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
principal, new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);`