1

I have a role admin assigned to a user. On that role, there's a claim elevated. When I sign in using authorization code flow and get the token, the sub field is correctly set. However, there's no sight of the role nor the claim for it.

I checked the AspNetUserRoles against the IDs for the user and the role. Those were set up correctly. What more can be the cause of this?

The claims for the client are present in the JWT too but nothing related to the user that just logged in.

Do I have to implement profile service and amend those manually? I expected the roles that the user is in to be added automatically, along with whatever claims that are reöated to them.

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438

1 Answers1

3

First, you must investigate whether the claim is present in the ID token or from the UserInfo endpoint. you need to do this to isolate if it is an IdentityServer or client application issue.

In the client, you have things like claims transformation and claims mapping that you might need to set depending on what your actual need are.

For example, on AddOpenIDConnect, there is an option named options.MapInboundClaims that you can set to false.

You might also need to point out the name of the role and name claim as well using:

options.TokenValidationParameters = new TokenValidationParameters
{
    NameClaimType = JwtClaimTypes.Name,
    RoleClaimType = JwtClaimTypes.Role
};

To add custom claims to the IdentityResource, then here is an example:

var employeeInfoScope = new IdentityResource()
{
    Name = "employee_info",
    DisplayName = "Employee information",
    Description = "Employee information including seniority and status...",
    Emphasize = true,
    Enabled = true,
    Required = true,
    ShowInDiscoveryDocument = true,
    UserClaims = new List<string>
    {
        "employment_start",
        "seniority",
        "contractor",
        "employee",
        "management",
        JwtClaimTypes.Role
    }
};

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I've got me a JWT and called user info endpoint. It only returned *sub* with the correct GUID but nothing more. Not even the basic data as [suggested here](https://docs.duendesoftware.com/identityserver/v6/reference/endpoints/userinfo/), let alone any roles nor claims. Do I need to add more identity resources for that? A bit confused at the moment... – Konrad Viltersten Feb 28 '23 at 19:53
  • I also tried to add identity resources like *openid*, *profile*, *role* and *roles*. I got them correctly assigned to my client (otherwise I got an error about the scope being missing or not available for it). Still, nothing more than *sub* returned. No name, no email no nothing... – Konrad Viltersten Feb 28 '23 at 20:16
  • I do have a blog post about the identity server resource types here https://nestenius.se/2023/02/02/identityserver-identityresource-vs-apiresource-vs-apiscope/ You also need to list what user claims should be presented in the IdentityToken and Access token , by tweaking the resource types in identityserver. – Tore Nestenius Mar 01 '23 at 07:44