stackoom
  简体   繁体   中英

Claims for IdentityServer4 user not included in JWT and not sent to Web Api

 原文  2017-01-15 18:17:50       c#/ asp.net-core/ openid-connect/ identityserver4

Question

Following the official IdentityServer4 documentation, I reached the point where I have an MVC client app, IdentityServer4 and a Web Api (resource server running). IS4 homepage displays all claims for the user, and when calling the api with the access token, we again get as a result all the user's claims.

Sample code is available here , although it's probably not necessary, and I'm just missing something obvious.

Anyway, for simplicity's sake let's not get claims from the DB and just assign a random hardcoded one: 

public class ProfileService : IProfileService
{
    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        context.IssuedClaims.Add(new System.Security.Claims.Claim("role", "admin"));
        return Task.FromResult(0);
    }
    ...
}

I register the custom Profile service in the startup file and now when I'm logged in on IS4, I see the additional claim.

However, when calling the web api (resource server), this additional claim is not included in the JWT. Code for api call: 

    public async Task<IActionResult> CallApiUsingUserAccessToken()
    {
        var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");

        var client = new HttpClient();
        client.SetBearerToken(accessToken);
        var content = await client.GetStringAsync("http://localhost:5001/identity");

        ViewBag.Json = JArray.Parse(content).ToString();
        return View("json");
    }

(All the api does is return the list of User.Claims). My added claim is not in there, and when I debug the code and pick the access token string and decode it on jwt.io, there's no such claim again.

Question is : what am I missing? is the HttpContext.Authentication.GetTokenAsync bad for my use case, and if so - what is the substitute I'm supposed to use?

Edit: Here are the OpenId Connect Options (on the MVC client): 

        app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            AuthenticationScheme = "oidc",
            SignInScheme = "Cookies",

            Authority = "http://localhost:5000",
            RequireHttpsMetadata = false,

            ClientId = "mvc",
            ClientSecret = "secret",

            ResponseType = "code id_token",
            Scope = { "api1", "offline_access" },

            GetClaimsFromUserInfoEndpoint = true,
            SaveTokens = true
        });

1 answers

solution1
 2 ACCPTED  2017-01-16 07:03:03

I guess the reason is that you haven't assigned any claims to your API. This is why we don't call the profile service at all.

This is a common problem and a little inconsistent since we are always calling the profile service for identity tokens.

We changed this behavior in 1.0.2

https://github.com/IdentityServer/IdentityServer4/releases/tag/1.0.2

Please try again and see if this gives you the expected result.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IdentityServer4 - user permissions on the API I want to Update User Claims in IdentityServer4 (.NET Core 3.1) IdentityServer4 custom AuthenticationHandler can't find all claims for a user Web Api .net framework 4.6.1 and identityServer4 IdentityServer4 and Seperate User Authentication Api Unable to Validate JWT or access_token in API with IdentityServer4 How do I add Jwt authentication from IdentityServer4 and Auth0 in an ASP.NET Core 2.0 web api? IdentityServer4 Add Claims to /connect/token How to add roles to claims in IdentityServer4? IdentityServer4 - missing claims from Google
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM