2

My MVC client's access token contains an "idp" claim that my simple server-to-server client's token doesn't. I don't explicitly request idp on either clients, so where is this claim coming from? I thought it was part of "openid", and since it is available by default to MVC client, you don't need to request it, but I couldn't find any documentation/specification that confirms it. By the way, I am unable to add the openid scope to my serer-to-server client, as I am getting "invalid scope" error when I do that. What I am trying to do here is to get the "idp" claim into the token for my server-to-server client as well, but not sure if that's possible. Can someone point me to the right direction?

Alexu
  • 1,015
  • 2
  • 12
  • 32
  • Hi @Alexu, am I right understand that you want to include the idp claim into access_token, not into the id_token? Which grant_type do you use for issue tokens? – Georgy Tarasov Dec 24 '21 at 08:00
  • That's right. I use both authentication-code flow (in MVC) and client-credential flow (in server-to-server client). – Alexu Dec 24 '21 at 15:39

2 Answers2

1

idp claim in Identityserver stands for external identity provider (such as Google). That's why it does not have any sense when you request a token from your local IdP with "client_credentials" flow. If you are interested in the info about the token's issuer, just use iss claim instead. If you are sure you need the idp (or any other custom) claim in each and every token, you can involve a custom ClaimsService as I explained in my previous answer.

d_f
  • 4,599
  • 2
  • 23
  • 34
  • sure. guess, I thought about "client credentials for the service" while was typing. thanks for finding the typo. in the referred answer it was correct. – d_f Jul 03 '23 at 09:26
1

When you do server to server communication using the client-credentials flow, there is no user involved and hence the openid scope has no purpose. As its core purpose is to ask for the subject claim (the user Id).

The idp claim is not part of any scope and is usually added by IdentityServer.

Why do you neeed the idp claim? Your API and client both trusts the shared IdentiyServer.

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks for explaining the idp for me. Not sure why IdentityServer doc doesn't have (or I couldn't find) any explanation for this. I just want to have that info on the API side for auditing purpose, nothing really critical, but I still want to understand. I guess I could use iss for that, as d_f suggested below. – Alexu Dec 24 '21 at 15:42
  • @Alexu if your purpose is audit, **use** `idp` when exists (sometimes there will be just _local_). `iss` is who issued the token, while `idp` is who authenticated the user. That is the difference, and yes, it is not documented by either OpenId Foundation or Identityserver afaik – d_f Dec 24 '21 at 16:27