How to get application profile data into access token?

Question

I'm using IdentityServer4 with a mix of v4/v3 clients.

I have custom profile data that is store on the application side that I'd like to include in the access_token so that my downstream APIs can use this with bearer/jwt authenication.

I understand I can manipulate claims via IProfileService, but that is registered on the identity side, not the application.

How can I get my custom profile claims into the requested access token?

Additional Details

I've done a proof of concept using Extension Grants to specifically pass my application claims through the IdS so that it includes those in the token. It works...but feels pretty hacky.

score 1 · Answer 1 · answered Jul 20 '18 at 21:16

1

Please do not do that. The JWT token is sent with every request.

if the downstream API needs something from the user, then either submit it with the call, or have an endpoing the downstream api can call. Embedding rarely used large inforamtion in someting transmitted every call (except in http 2.0) is a nonononono.

answered Jul 20 '18 at 21:16

TomTom

61,059
10
88
148

By 'custom profile claims' I don't mean things like favorite color, pet's name, etc...they're values used for authorization in downstream services, e.g. company IDs. I def don't plan to bloat the token. – Jeremy Smith Jul 22 '18 at 17:46

adem caglin · Answer 2 · 2018-07-19T14:20:29.723

0

You can not change jwt token content after being created and signed by authorization server. But you can use ClaimsTransformation to manipulate claims on the api project.

Edit: Another option to use JwtBearer OnTokenValidated event.

edited Jul 19 '18 at 14:20

answered Jul 19 '18 at 04:20

adem caglin

22,700
10
58
78

This would require that all my downstream APIs have access to my profile store though, yes? – Jeremy Smith Jul 20 '18 at 12:38

score 0 · Answer 3 · answered Jul 20 '18 at 21:14

Any claims issued from your implementation of IProfileService should end up in the token. Note that your implementation of IProfileService should check if it is issuing claims related to IdentityResources or ApiResources. It would be a bit pointless adding api claims to an id_token.

When the client receives the token from you IDS, it will pass it in calls to your API. If your client is using cookie authentication, the tokens themselves as well as some user profile claims will be stored in the authentication cookie. This obviously depends on the flow your are using Implicit, Hybrid etc.

If you want to inspect what you get back from the IDS at the client you could add a Cookie Authentication Event handler (eg OnValidatePrincipal) to see whats stored in the cookie, or add an OnUserInformationReceived event handler to your OIDC handler and inspect what you get back in there.

Are you suggesting that my Profile Service should reach out to my application's User Profile API to retrieve any missing details during authentication? I considered this but didn't want to couple my services as more application are added to our domain. — Jeremy Smith, Jul 22 '18 at 17:54

How to get application profile data into access token?

3 Answers3