Duende.IdentityServer v6 > Custom IProfileService implementation does not read IssuedClaims from database after migrating from IdentityServer4

Question

Our web application was using IdentityServer4 (package 2.5.4) and now we migrated to Duende.IdentityServer v6. We have custom IProfileService implementation. The code of client application and ProfileService 100% the same.

In our case, GetProfileDataAsync is called first with ClaimsProviderAccessToken, we create our custom session here and issue two new claims which we add to context.IssuedClaims. They are still saved to database to PersistedGrants table, Data column.

These new claims are still acceccible in client web application, we are good here.

But when it is time to get new access token, IsActiveAsync is called with RefreshTokenValidation and context.Subject does not have these new claims from IssuedClaims anymore.

It works fine in old version, but not in new Duende.IdentityServer v6. Absolutelly not clear what was changes and what direction to use now.

Our goal is to allow one IdentityServer session and several web client sessions. So users can login to IdentityServer once and then reuse this session in different clients without entering login\password.

Simplified code:

public class CustomClaimService : IProfileService
{
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var claimsToIssue = new List<Claim>();
        switch (context.Caller)
        {
            case IdentityServerConstants.ProfileDataCallers.ClaimsProviderAccessToken:
                context.IssuedClaims.Add(new Claim(ClaimTypes.TestClaim, "TestClaimValue"));
                break;
        }
    }

    public async Task IsActiveAsync(IsActiveContext context)
    {
        switch (context.Caller)
        {
            case IdentityServerConstants.ProfileIsActiveCallers.RefreshTokenValidation:
                var encryptedClaim = context.Subject?.Claims?.FirstOrDefault(c => c.Type == ClaimTypes.TestClaim); // ALWAYS NULL
                context.IsActive = encryptedClaim != null;
                break;
        }
    }

Answer 1

The problem can be traced to Duende.IdentityServer.ResponseHandling.CreateAccessTokenAsync (took hours of debugging to figure it out). The solution is to update claims of context.Subject (through Identity, because context.Subject.Claims is read-only) as well, after setting context.IssuedClaims. For your case it would be something like this:

context.IssuedClaims.Add(new Claim(ClaimTypes.TestClaim, "TestClaimValue"));

ClaimsIdentity identity = (ClaimsIdentity)context.Subject.Identity;

if (!identity.Claims.Any(claim => claim.Type == ClaimTypes.TestClaim))
{
    identity.AddClaim(new Claim(ClaimTypes.TestClaim, "TestClaimValue"));
}

Now, when refreshing the token, context.Subject.Claims will contain your TestClaim