merijndejonge
commented
9 months ago Open amiru3f opened 9 months ago
merijndejonge
commented
9 months ago 
MackinnonBuck
commented
9 months ago What claims are on the access token that aren't on the ID token?
ghost
commented
9 months ago Hi @amiru3f. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.
ghost
commented
9 months ago We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.
amiru3f
commented
9 months ago @MackinnonBuck Well, it depends to the IdentityProvider implementation. As you know IdToken is for user Identification (Who is the user) however AccessToken is for Authorization (To check if the user is authorized based on some specific claims, etc). So depending on the way IdentityProvider manages, those claims can differ.
For example a Third Party (Or relying party) requests a specific scope then forwards the user to the IDP like:
https://{IDP_URL}?connect/authorize?grantType=authorization_code&scope=Scope1Based on the Scope requested, related claims will be included in AccessToken but not IdToken at least in the implementations I've seen (Like Duende, AzureAD, ...)
For implementation details like Duende please check:
To me that's not a good idea to put the scope-related claims in the IdToken cuz Client won't use IdToken to access any Audiences (Owner of that scope). That's why in Duende the default behaviour is not doing that
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
Hey there,
Context
While using
OpenIdConnectHandlerto leverage OIDC for handling authentication via external Identity Providers (like Duende, Google, Linkedin, AzureAD etc), after successful login and callback, the handler verifies theIdTokenand injects claims into the current requestPrincipalwhich means if the IDP puts claims into theIdToken, the application can access it via request.Principal.ClaimsNamely:
The OpenIdConnectHandler checks if the callback contains
authorization codewhich means the authentication was initiated inAuthorizationCodeflow, fetches theIdTokenandAccessTokenand then extracts theIdTokenclaims. Then ifGetClaimsFromUserInfoEndpointis enabled uses theAccessTokento fetch the additional claims from the external IDPProblem
IDPs like
DuendeandAzureADdo not put the claims inside the IdToken but AccessToken in case you use theauthorization_codeflow. Unlike if you useimplicit, they put the claims into theIdTokenand the abovementioned works without any additional costs or issues.So if you use
authorization_code, since the application does not read/care theAccessToken, it needs another call toUserInfoEndpointto fetch the claims (Which might not be a good/performant case for all scenarios)Describe the solution you'd like
My question/suggestion is why
OpenIdConnectHandlerdoes not combine the claims fromIdTokenandAccessTokentogether to build thePrincipal? Is this out of Standards/Protocols? Namely we can have a flag like options.AlsoCheckAccessTokenForClaims (default: false for avoiding breaking behaviours) so when you set the following flags it will get the claims from both and then no need to initiate another call toUserInfoEndpoint:Can you please help me to know if I'm thinking mistakenly against of the Protocol or Standards or any other downsides?
Additional context
No response