Openiddict-core: Returning [AspNetUserClaims] to relying party

Created on 5 Aug 2016  路  8Comments  路  Source: openiddict/openiddict-core

I have my ASP.NET Core web app using Identity 3 and OpenIddict setup and can authenticate from my relying party fine. However, claims do not get sent to the relying party ([AspNetUserClaims]), I do see roles though ([AspNetUserRoles]).

My Scope is "openid email name profile roles" and responseType is "token id_token", am I missing something to get claims back?

question

All 8 comments

However, claims do not get sent to the relying party ([AspNetUserClaims])

For security reasons, we never return custom claims. You'll have to create your own manager for that. Take a look at https://github.com/openiddict/openiddict-core/issues/165 for more information.

Great, that was easy enough!

Does OpenIddict support any way of restricting scopes per relying party? eg I might want 1 to just authenticate and not be able to access profile data

You're now responsible of providing your own authorization/token endpoint, so you're now free to return the claims you want, without having to use or override the user manager.

Hi,
I've just got around to updating my code. Where do I add custom claims now that i'm not overriding the UserManager?

I'm guessing somewhere in the CreateTicketAsync method in AuthorizationController

I'm guessing somewhere in the CreateTicketAsync method in AuthorizationController

Yep!

Thought so :) I was expecting to use principal.Claims.Add to add my custom claim but it's not exposed. Do you have an example on how to it?

var identity = (ClaimsIdentity) principal.Identity;
identity.AddClaim(...);

Great, for completeness in case anyone else reads this...

`if (!string.IsNullOrEmpty(user.ContactId))
{
Claim claim = new Claim("ContactId", user.ContactId).SetDestinations(
OpenIdConnectConstants.Destinations.AccessToken,
OpenIdConnectConstants.Destinations.IdentityToken);

            var identity = (ClaimsIdentity)principal.Identity;
            identity.AddClaim(claim);
        }

        // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(
            principal, new AuthenticationProperties(),
            OpenIdConnectServerDefaults.AuthenticationScheme);`
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matthewwren picture matthewwren  路  3Comments

DaljitBhail picture DaljitBhail  路  4Comments

mattwcole picture mattwcole  路  3Comments

prilutskiy picture prilutskiy  路  4Comments

Typiqally picture Typiqally  路  4Comments