IdentityServer / IdentityServer3.AspNetIdentity

ASP.NET Identity support for Thinktecture IdentityServer3
Apache License 2.0
64 stars 51 forks source link

Username Claim #16

Closed jmichas closed 10 years ago

jmichas commented 10 years ago

Is there a reason that the GetClaimsFromAccount method does not retrieve and set the username automatically? Are we meant to derive from the out of the box user service and override that method?

I would like to include the username in my id_token and map it to the ms name claim.

Thanks!

jmichas commented 10 years ago

So far the only way I have been able to bring back the username in the token is to create a custom class that inherits from AspNetIdentityUserService<TUser, TKey> and override the GetClaimsFromAccount (I just copied the original implementation) and replaced

var claims = new List<Claim>{
    new Claim(Thinktecture.IdentityServer.Core.Constants.ClaimTypes.Subject, user.Id.ToString())
};

with this

var claims = new List<Claim>{
    new Claim(Thinktecture.IdentityServer.Core.Constants.ClaimTypes.Subject, user.Id.ToString()),
    new Claim("username",user.UserName)
};

Im not sure if this is the right way to do this. I feel like UserName should be an out of the box claim that is included. For the record, name is also not included in the token no matter what I do, so if you need that maybe this is the way?

Edit: I should say that I think Username should be a default scope, not always in the token.

jmichas commented 10 years ago

Also just want to add that anyone looking to use the identity server with an MVC OWIN client you can then map the username to the normal MS Name attribute so it shows up properly when using typical MVC get username stuff. See https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/issues/9 and add in {"username", System.Security.Claims.ClaimTypes.Name} to the Jwt mapping handler.

Im leaving this open for now because there may be a better way to accomplish what Im doing, if not, please close this.

brockallen commented 10 years ago

You control the claims in the token via the ScopeClaim configuration on the Scope:

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Scope-Model

jmichas commented 10 years ago

@brockallen yeah I tried that. I created custom scopes and added my claims but they never appeared in the id token. I stepped through the source and found that even though the "name" claim was on the principal it wasn't added to the token and the username wasn't on the principal. So is that a bug? Should I have been able to simply add a scope claim for username?

brockallen commented 10 years ago

Did you confirm it wasn't in the id_token by pasting it in http://jwt.io? It's not clear if it wasn't in the token or if there was a claim type mismatch.

jmichas commented 10 years ago

@brockallen hrmmmm, not sure. I was dumping the claims on the principal to a web page, I assumed that if I didn't see it in there then it wasn't in the token. How can I get the token that is posted back to the owin middleware? I can say after I did what I described earlier it worked fine so where would I have mapped the mismatch otherwise? I already tried to use the jwt handler mapping to map from both username and name to the ms claimtype "name".

brockallen commented 10 years ago

You can check the token in transit with fiddler -- that's what I use to inspect the token in the raw.