How to issue some user claims depending on the client?

Question

I would like to be able to issue a phone_number claim xor email claim depending on what is required by the client. I use Identity Server 5(Duende) but the answer will be the same for Identity Server 4.

I understand that I can add a claim to identity token in ProfileService, however how to configure the client in the db so I will be able to check what is required by a client in the profile service?

Answer 1

The additional claims should be configured in either ApiScopeClaims/ApiResourceClaims or IdentityResourceClaims depending on if the claim should be include in the access token or the id token (could be both).

For example you if have:

IdentityResource { Id = 1, Name = "profile" }

Then in IdentityResourceClaims table you should add:

IdentityResourceClaim { Id = 1, IdentityResourceId = 1, Type = "phone_number" } IdentityResourceClaim { Id = 2, IdentityResourceId = 1, Type = "email" }

Then when the client requests the profile scope, phone_number and email claim types will be included in ProfileDataRequestContext.RequestedClaimTypes in the ProfileService.

Then inside ProfileService you can use ProfileDataRequestContext.RequestedClaimTypes and context.AddRequestedClaims to only add the Claims the were requested from the client:

public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
    if (context.RequestedClaimTypes.Any())
    {
        ...

        // create the user claims list
        var claims = CreateClaims(user);

        // this will filter claims list and only add those requested by the client
        context.AddRequestedClaims(claims);
    }
}