I am working on identity server 4. I want to pass additional parameter from identity server to client. I am using Hybrid Grant Type and using openid connect options.
I see that there are some acrvalues. Should i use it? How can I add claims from identity server to client?
update
Clients:
return new List<Client>()
{
// Hybrid Flow
new Client()
{
ClientId = "mvcClient",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List<Secret>()
{
new Secret("secret".Sha256())
},
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002" },
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>()
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.OfflineAccess.Name,
StandardScopes.Roles.Name,
StandardScopes.Email.Name,
"NamfusAPI",
},
AllowAccessToAllScopes = true,
RequireConsent = false
},
};
Scope:
return new List<Scope>()
{
StandardScopes.OpenId, // subject id
StandardScopes.ProfileAlwaysInclude, // first name, last name
StandardScopes.OfflineAccess, // requesting refresh tokens for long lived API access
StandardScopes.Roles,
StandardScopes.Email,
new Scope()
{
Name = "NamfusAPI",
Description = "Namfus API",
Type = ScopeType.Resource,
IncludeAllClaimsForUser = true,
Claims = new List<ScopeClaim>()
{
new ScopeClaim(ClaimTypes.Name, true),
new ScopeClaim(ClaimTypes.Role, true),
}
}
};
my web form client has this:
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
ExpireTimeSpan = TimeSpan.FromMinutes(2),
SlidingExpiration = true,
CookieSecure = CookieSecureOption.Never
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
SignInAsAuthenticationType = "Cookies",
Authority = "http://localhost:5000", // check in client side [not on priority]
ClientId = "mvcClient",
ClientSecret = "secret",
RedirectUri = "http://localhost:5002",
PostLogoutRedirectUri = "http://localhost:5002",
ResponseType = "code id_token token",
Scope = "openid profile NamfusAPI offline_access roles email",
TokenValidationParameters = new TokenValidationParameters { NameClaimType ="name" },
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async n =>
{
var claims_to_exclude = new[]
{
"aud", "iss", "nbf", "exp", "nonce", "iat", "at_hash"
};
var claims_to_keep = n.AuthenticationTicket.Identity.Claims
.Where(x => false == claims_to_exclude.Contains(x.Type)).ToList();
claims_to_keep.Add(new Claim("id_token", n.ProtocolMessage.IdToken));
if (n.ProtocolMessage.AccessToken != null)
{
claims_to_keep.Add(new Claim("access_token", n.ProtocolMessage.AccessToken));
var userInfoClient = new UserInfoClient("http://localhost:5000/connect/userinfo",
new HttpClientHandler());
var userInfoResponse = await userInfoClient.GetAsync(n.ProtocolMessage.AccessToken);
var userInfoClaims = userInfoResponse.Claims
.Where(x => x.Type != "sub") // filter sub since we're already getting it from id_token
.Select(x => new Claim(x.Type, x.Value));
claims_to_keep.AddRange(userInfoClaims);
}
var ci = new ClaimsIdentity(
n.AuthenticationTicket.Identity.AuthenticationType,
"name", "role");
ci.AddClaims(claims_to_keep);
n.AuthenticationTicket = new Microsoft.Owin.Security.AuthenticationTicket(
ci, n.AuthenticationTicket.Properties
);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var id_token = n.OwinContext.Authentication.User.FindFirst("id_token")?.Value;
n.ProtocolMessage.IdTokenHint = id_token;
}
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
Regards, Asif Hameed