Not returning all claims and policy authorization issue

I'm using IdentityServer4 hybrid flow sample app for testing and playing around with IS4: https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/5_HybridFlowAuthenticationWithApiAccess

Config.cs in IS4 have two defined test users:

return new List<TestUser>
        {
            new TestUser
            {
                SubjectId = "1",
                Username = "alice",
                Password = "password",

                Claims = new List<Claim>
                {
                    new Claim("name", "Alice"),
                    new Claim("website", "https://alice.com")
                }
            },
            new TestUser
            {
                SubjectId = "2",
                Username = "bob",
                Password = "password",

                Claims = new List<Claim>
                {
                    new Claim("name", "Bob"),
                    new Claim("website", "https://bob.com")
                }
            }
        };

"Secure.cshtml" in MVC client should display Type and Value for all claims, but I'm seeing only

sid: ec1e3b0513f711ca6c29a90494aa9741
sub: 1
idp:local
name:Alice

with no "website" claim displayed. How can I get that claim back alongside with name? options.GetClaimsFromUserInfoEndpoint is set to "true". (MVC Client Startup.cs)

So, if I create a policy:

services.AddAuthorization(options => {
                options.AddPolicy("testPolicy", builder =>
                {
                    builder.RequireAuthenticatedUser();
                    builder.RequireClaim("website", "https://alice.com");
                });
            });

and protect "Secure" action with it:

[Authorize(Policy = "testPolicy")]
        public IActionResult Secure()
        {
            ViewData["Message"] = "Secure page.";

            return View();
        }

There is no way I can access it because "website" claim is not returned from user endpoint... Any ideas? Note: I didn't make any changes on sample app except "testPolicy".

2 answers

  • answered 2017-11-15 12:40 DaImTo

    When authenticating your user make sure to include profile

    var tokenClientReadOnlyClient = new TokenClient(disco.TokenEndpoint, "ReadOnlyClient", "secret");
    var tokenResponseReadOnlyClient = await tokenClientReadOnlyClient.RequestClientCredentialsAsync("testapi profile openid");
    

    The client will need to add AllowedScopes of

    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "testapi"
                    }
    

  • answered 2017-11-15 18:23 leastprivilege

    You probably need to configure the claims actions on the OIDC handler options.

    https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/