How do I add custom user claims in JWT and user principal when using Microsoft.AspNetCore.ApiAuthorization.IdentityServer

Question

I'm using the new React template, which is part of the .NET Core 3 release. This template uses Microsoft.AspNetCore.ApiAuthorization.IdentityServer to integrate ASP.NET Core Identity, IdentityServer and React for user registration, authentication and authorization.

This works really well for simple scenarios, but I find the documentation for a bit more complex scenarios confusing. This is mainly because there are a lot of different cogs now, and it's hard to figure out where to look.

What I want to do is the following: I want to add a custom claim to the user (say, IsAdmin: true ). This claim should be available in the .NET Core HttpContext in the ApiController (as part of the user's claim principal) for auth purposes, and it should be somewhere that React can read this claim (this would probably be the identitytoken/jwt), to provide a good user experience.

What would be a good way to accomplish this?

Answer 1

I think you should check ApiResource configuration. Whatever claims you add in UserClaims property of ApiResource configuration, those claims will appear in access token. eg

 public IEnumerable<ApiResource> GetApiResources()
 {
      return new List<ApiResource>
      {
            new ApiResource("api1")
            {
                UserClaims = new[] { "CustomClaim1", "CustomClaim2"},
            }, 
       }
 }

In above code, access code will contain CustomClaim1 and CustomClaim2 . Hence if you don't mention them, they won't appear in access token. Hope this helps!

Answer 2

You can use IProfileService to add custom claims to JWT token:

public class MyProfileService : IProfileService
{
    public MyProfileService()
    { }

    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {

        var claims = new List<Claim>()
        {

            new Claim(ClaimTypes.Role, "Admin")
        };
        context.IssuedClaims.AddRange(claims);
        return Task.CompletedTask;
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        // await base.IsActiveAsync(context);
        return Task.CompletedTask;
    }
}

Concern about the length of ID Token, by default the claims won't include in ID token, instead it will get claims from OIDC's userinfo endpoint. You can:

1. Get the claims from user.profile in React template, it will automatically send request to userinfo endpoint with id token.

2. Or you can set AlwaysIncludeUserClaimsInIdToken to true in client options when registering client in Identity Server 4, but i'm afraid you need to not use ApiAuthorization service, the full power of IdentityServer is still available to customize authentication to suit your needs.