Add custom claims to access/id token

IdentityServer / IdentityServer3.AspNetIdentity

ASP.NET Identity support for Thinktecture IdentityServer3

Apache License 2.0

64 stars 51 forks source link

Add custom claims to access/id token #53

Closed pawepaw closed 9 years ago

pawepaw commented 9 years ago

Hello,

I'm implementing impersonate mechanism and I need to embed claims with original user (user which is impersonating) data like id or username. Claims are scope specific so I added custom scope with those claims.

Problem is that I do not want to save those claims into database (because they are not user specific, rather request specific) and from what I understand default implementation of GetAccessTokenClaimsAsync/GetIdentityTokenClaimsAsync will only read claims from database not from AuthenticateResult claims.

I've tried to extend claims which are passed into AuthenticateResult and later to create ClaimsIdentity but they are not used to generate token.

I think that the best choise is to override GetProfileDataAsync() method to not only read from database but also from ClaimsPrincipal.

Is it proper way or am i missing something?

brockallen commented 9 years ago

You can override the various APIs and merge the claims from the base implementation and the claims from your derived implementation.

pawepaw commented 9 years ago

Ok just wanted to clarify that I'm not missing anything and there is no mechanism to embed those claims excluding saving them into database.

Don't you think that it might be nice to have it by default in userService or it might be missleading? I can create pull request with proposed solution.

brockallen commented 9 years ago

Maybe I was unclear -- You can add any claims you want -- they don't have to be in the database.

pawepaw commented 9 years ago

Sure I got it. But after analyzing user service i see that while generating tokens you do not use claims from ClaimsIdentity (subject).

According to: https://github.com/IdentityServer/IdentityServer3/blob/133ca7db31d94abcca55221559a301310ab4bbe6/source/Core/Services/Default/DefaultClaimsProvider.cs#L65

By default only claims read from database in GetProfileDataAsync() will be included in token.

There are many places where I can extend this functionality what's cool. But right now am asking if by default maybe it should just include claims from subject as well?

brockallen commented 9 years ago

Ah, I see. I think so -- the claims in the cookie in IdSvr are not necessarily the claims you want in the token. So not doing it is intentional.

pawepaw commented 9 years ago

Ok thanks. So I'll simply extend GetProfileDataAsync() because i think it's proper place to do it.