It appears to me that I cannot add a custom claim (that is user-specific) to the response of my first call to Identity Server. Can someone confirm that assumption?
Here is what we are doing in our app: Using ResourceOwner Flow, our web app (server side) calls Identity Server sending the user's logonID and password and scopes.
We get back a JWT which contains the standard claims like sub, idp, client_id; but we would like to add one more. To simplify, let's say that one additional claim is the emailAddress of the user.
It appears that we must make another call to the Identity Server and get a new token. Is that correct? Isn't there some way we can get that value in the initial call?
Sorry to be the one to answer my own question, but I found out how to make this work.
- Create a custom scope. Make sure that the Type = ScopeType.Resource, and that IncludeAllClaimsForUser = false, and add a collection of Claims to the scope, and set the second parameter of the ScopeClaim to true.
- Add the custom scope to your client.
- In your IUserService override, in AuthenticateLocalAsync, make sure to pass the user.Claims as the 3rd parameter in the call to AuthenticateResult.
In your IUserService override, in GetProfileDataAsync add the following code:
if (context.RequestedClaimTypes != null) { List<Claim> newclaims = new List<Claim>(); foreach (Claim claim in context.Subject.Claims) { if (context.RequestedClaimTypes.Contains(claim.Type)) { newclaims.Add(claim); } } context.IssuedClaims = newclaims; } return Task.FromResult(context.IssuedClaims);Finally, to make sure that GetProfileDataAsync fires every time the user logs in, not just the first time, make sure that you do not have caching turned on. This probably means removing a line of code in your startup that looks like this: factory.ConfigureUserServiceCache().
来源:https://stackoverflow.com/questions/34107146/seeking-confirmation-that-identityserver-3-does-not-support-custom-claims-withou