Get Claims in Password Flow as well as Implicit

Question

I have an Angular 9 web application connected via the oidc-client to Identity Server 4 and an API using Implicit flow. When I get the authenticated user I can see several claims I want for the site such as the email address, the user name or the role.

I'm now trying to do the exact same thing using the password flow and I'm getting only the sub claim back - note this is the first time I use it and therefore it may not be right, but in essence, below would be the call I'm performing (using this time angular-oauth2-oidc through my ionic app) - for simplicity and for testing purposes I'm using postman to illustrate this:

I have modified my client to allow the profile scope without any luck and also I'm getting a different type of response and claim processing targetting the same user using the same configuration on IS4:

My question is, is there anything special I need to set up in my client when I use the password flow to get the claims back or do I need to modify the profile service to include them all the time? I would have imagined when you have access to different scopes and they have issued claims you should get them back but I'm not sure if I'm missing something fundamental here.

My client's config:

public static IEnumerable<Client> Get()
    {
        return new List<Client>
        {
            new Client
            {
                ClientId = "web",
                ClientName = "Web Client",
                AllowedGrantTypes = GrantTypes.Code,
                RequirePkce = true,
                RequireClientSecret = false,
                AllowedScopes = new List<string> { "openid", "profile", "myapi" },
                RedirectUris = new List<string> {
                    "http://<base-url>/auth-callback",
                    "http://<base-url>/silent-renew-callback",
                },
                PostLogoutRedirectUris = new List<string> {"http://<base-url>"},
                AllowedCorsOrigins = new List<string> {"http://<base-url>"},
                AllowAccessTokensViaBrowser = true,
                RequireConsent = false,
                AlwaysSendClientClaims = true,
                AlwaysIncludeUserClaimsInIdToken = true,
            },
            new Client
            {
                ClientId = "mobile",
                ClientName = "Mobile Client",
                ClientSecrets = { new Secret("t8Xa)_kM6apyz55#SUv[[Cp".Sha256()) },
                AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
                AllowedScopes = new List<string> { "openid", "mobileapp", "myapi" },
                AccessTokenType = AccessTokenType.Jwt,
                AccessTokenLifetime = 3600,
                IdentityTokenLifetime = 3600,
                UpdateAccessTokenClaimsOnRefresh = false,
                SlidingRefreshTokenLifetime = 30,
                AllowOfflineAccess = true,
                RefreshTokenExpiration = TokenExpiration.Absolute,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                AlwaysSendClientClaims = true,
                Enabled = true
            }
        };
    }
}

Any tips are highly appreciated. Many thanks!

UPDATE: Since ROPC flow is being deprecated in oauth 2.1 ( https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1 ) I decided to move everything to the code flow + PKCE mechanism.

Answer 1

Password grant is an OAuth grant and is to obtain an access token. And what you see as a result of password grant is an access token. access token does not contain any information about the user itself besides their ID (sub claim).

But Implicit grant you use is OpenId Grant. You use oidc client lib and use "openid", "profile" on client - AllowedScopes . What you get in result in an id token. This token authenticates the user to the application and contains user info.

Read more about tokens here .

And this is a very good post which Diagrams of All The OpenID Connect Flows