1

I've implemented the resource owner password grant and trying to add the IssuedAt Claim to my JWT Token. But when the token is generated, the "iat" claim is not coming. Code Snippet

var claims = new List<Claim>
{
new Claim(JwtClaimTypes.Id, user.Id.ToString()),
new Claim(JwtClaimTypes.Email, user.Email),
new Claim(JwtClaimTypes.Name, user.UserName),
new Claim(JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer64),
};

Cannot figure out why Identity server is not inserting the iat (issued at) claim.

ApiResource below

public static IEnumerable<ApiResource> GetApiResources()
        {
            return new List<ApiResource>
            {
                new ApiResource("ecapi", "eCommerce API")
                { ApiSecrets = { new Secret(clientSecret.Sha256()) } }, 
            };
        }

Client is defined as below

            new Client
            {
                ClientId = "resourceOwner",
                ClientSecrets =
                {
                    new Secret(clientSecret.Sha256())
                },
                AccessTokenType = AccessTokenType.Jwt,

                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
                AccessTokenLifetime = 1000,
                AllowOfflineAccess = true,
                AllowedScopes =
                {
                    "offline_access",
                    "ecapi",
                }
            }

Updated Claims list

var claims = new List<Claim>
                {
                    new Claim(JwtClaimTypes.Id, user.Id.ToString()),
                    new Claim(JwtClaimTypes.Email, user.Email),
                    new Claim(JwtClaimTypes.Name, user.UserName),
                };
Suraj
  • 21
  • 4
  • 2
    Can you add the context for the piece of code that you wrote? It's weird to generate tokens manually when you're using Identity Server – Camilo Terevinto Nov 26 '21 at 10:44
  • The token given by our Identity Server is not having the "iat" claim. After authenticating the user from our side, we need to provide the token to a third party app. they are expecting the 'iat' claim in the token. As it was not coming by default, we tried to adding the JwtClaimTypes.IssuedAt. – Suraj Nov 26 '21 at 11:46

2 Answers2

0

Where do you not see the iat claim?

Inside the token or in the ClaimsPrincipal object?

By default, many of these internal claims are not included in the final ClaimsPrincipal user object as they are more internal claims for the OpenIDConnect handler and security.

You need to remove the following API Resources

new ApiResource("openid", "Open Id"),
new ApiResource("role", "User Role")

They don't make any sense.

you need to add the concept of ApiScopes as well. You should check this page out. an ApiScope named ecapi and a ApiResource named ecapi, that points to the ecapi scope would make more sense.

See my answer here for more details about ApiResource vs ApiScopes.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I am not seeing it in the payload of the JWT token. – Suraj Nov 26 '21 at 14:01
  • Can you post a sample token? Why do you add the iat claim manually? Shouldn't IdentityServer add it on its own? Why do you try to create your own claims in that way? usually you add UserClaims. It feels you are using IdentityServer in the wrong way? – Tore Nestenius Nov 26 '21 at 14:37
  • I was expecting Identity Server to add the iat claim automatically. But it was not adding it on its own. That's why I tried adding it manually. But still its not coming in the token. – Suraj Nov 26 '21 at 17:08
  • can you post a sample copy of your JWT access token as it is sent by the IS? – Tore Nestenius Nov 26 '21 at 17:36
  • In your client, how to you get hold of the access token to later sent to the API? Are you creating/building your own access token in the client? Do capture the access token as it is sent by Identityserver on a HTTP level.. (using Fiddler for example) – Tore Nestenius Nov 26 '21 at 17:41
  • This it the token payload { "nbf": 1638186966, "exp": 1639396566, "iss": "http://[servername]/authserver", "aud": [ "http://[servername]/authserver/resources", "ecapi", "openid", "role" ], "client_id": "resourceOwner", "sub": "6d2a4a56-7f8b-4309-9255-bb186ae1f834", "auth_time": 1638186966, "idp": "local", "scope": [ "ecapi", "openid", "role", "offline_access" ], "amr": [ "password" ] } – Suraj Nov 29 '21 at 13:33
  • Your aud claim seems a bit off, with openid and role listed there? can you post your ApiScope and ApiResource definition in the question? As it seems not to be correct. – Tore Nestenius Nov 29 '21 at 14:20
  • Updated the question with ApiScope and ApiResource definitions – Suraj Nov 29 '21 at 17:14
  • see my updated answer. – Tore Nestenius Nov 29 '21 at 19:09
  • I tried after removing the above ApiResources but still the "iat" claim is not seen in the JWT payload. Here is the payload - { "nbf": 1638248701, "exp": 1639458301, "iss": "http://[servername]/authserver", "aud": [ "http://[servername]/authserver/resources", "ecapi" ], "client_id": "resourceOwner", "sub": "6d2a4a56-7f8b-4309-9255-bb186ae1f834", "auth_time": 1638248701, "idp": "local", "scope": [ "ecapi", "offline_access" ], "amr": [ "password" ] } – Suraj Nov 30 '21 at 06:42
  • Please update your question with your latest code, also do remove "new Claim(JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer64)," from your code. Also do paste a copy of your JWT token in the question. – Tore Nestenius Nov 30 '21 at 07:17
  • I have updated the question with latest code used. Please check. – Suraj Nov 30 '21 at 09:47
  • any reason why yo use ResourceOwnerPassword? today for new projects, you should try to only use Authorization code flow , or client credentials flow. (see Oauth 2.1 spec) You should also try to add ApiScope in your configuration – Tore Nestenius Nov 30 '21 at 10:43
0

I faced the same issue, Got it fixed by updating all the identity-server related packages to the latest.

Ashish Abraham
  • 73
  • 1
  • 5