Does IdentityServer4.AccessTokenValidation performs automatic userinfo instrospection?

Question

I am using Identity server to protect my API. I have defined the ApiResource as this:

return new List<ApiResource> 
        {
            new ApiResource
            {
                Name = "phone.api",
                ApiSecrets={new Secret("secret1".Sha256())},
                Scopes =
                {
                    new Scope()
                    {
                        Name = "phone.api.full_access",
                        DisplayName = "Full access to API"

                    },
                     new Scope
                    {
                        Name = "phone.api.write",
                        DisplayName = "Write and read access to API"
                    },
                    new Scope
                    {
                        Name = "phone.api.read",
                        DisplayName = "Read only access to API"
                    }
                }
                ,UserClaims=new List<string>()
                {
                    "roles",
                   // ClaimTypes.DateOfBirth
                }
            },

And a test user like this:

new TestUser
{
   SubjectId = "1",
   Username = "Billy Admin",
   Password = "password",
   Claims = new List<Claim>()  
   {
      new Claim("roles", "phone.api.admin"),
       new Claim(ClaimTypes.DateOfBirth,new DateTime(1900,10,10).ToString())
   }
 }

The api is protected with the following code:

services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = Config.AUTHAUTHORITY; //"http://localhost:4000";
                options.ApiName = "phone.api";
                options.ApiSecret = "secret1";
                options.RequireHttpsMetadata = false;
            });

I have the question if when a client+ access_token (not cotaining the claim 'ClaimTypes.DateOfBirth' , the API will automatically call the user info endpoint in the authority server to get the extra claims are needed. The reason I need the extra claims are fore cheking some policies like:

services.AddAuthorization(options =>
{
     options.AddPolicy("Only21", policy => policy.Requirements.Add(new MinimumAgeRequirement(21)));
} );

My tests shows me that it is not calling the userinfo endpoint, and I want to know why. Should I call it in my own AuthorizationHandler<MinimumAgeRequirement>?

Many thanks.

Answer 1

Badulake's question is an interesting one: how do you manage API claims in an OAuth Architecture in a manner that actually works best for the API?

It is not just an OAuth technology question - it is more of an API extensibility design question. I have found that managing claims data in the API works best, and it is common to use claims caching to make this perform well.

• OAuth 2.0 API Extensible Architecture

Out of interest, here is a .Net code sample that implements the above architecture:

• .Net Core API Code Sample

Recently I've been doing some AWS Serverless APIs and it was interesting to find that the AWS API Gateway also uses this type of approach.