I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:
signin(e) {
e.preventDefault();
this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
console.log("signed in", user.profile);
}).catch(function(err) {
console.log(err);
});
}
Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:
The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:
So how can I get hold of these claims in my Javascript code?
I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:
signin(e) {
e.preventDefault();
this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
console.log("signed in", user.profile);
}).catch(function(err) {
console.log(err);
});
}
Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:
The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:
So how can I get hold of these claims in my Javascript code?
Share Improve this question asked Mar 12, 2018 at 8:49 Tom TroughtonTom Troughton 4,3455 gold badges44 silver badges91 bronze badges 4- Could you use userinfo endpoint which should be standard openId Connect implementation. That api should return you all the response required? – Sohan Commented Mar 12, 2018 at 8:57
- @Sohan My assumption is that the openid-connect-js library already does this since the IS4 docs suggest it should populate user.profile with requested claims. – Tom Troughton Commented Mar 12, 2018 at 12:10
- Did you set scopes inside your JSapp and in the database [ClientScopes] ? Your app need to request them so they will be on the response. – Mopa Commented Mar 12, 2018 at 12:54
-
@getsetcode Sorry to ask here, but, how are you getting those user claims (name, email, etc) in the external API project? When I access
this.User.Claimsin an ApiController I don't see those user claims, just the "basic" client ones. – empz Commented Dec 10, 2018 at 16:10
1 Answer
Reset to default 8Those user claims are likely ing inside the ID Token. To make this work, check if you've got AlwaysIncludeUserClaimsInIdToken = true in your IDP Provider's Client configuration, like
public static IEnumerable<Client> GetClients()
{
return new List<Client>()
{
new Client()
{
ClientName = "IDP Client",
ClientId = "client",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Hybrid,
RedirectUris = new List<string>()
{
"http://localhost:60811/signin-oidc"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"myapi"
},
AlwaysIncludeUserClaimsInIdToken = true,
AllowOfflineAccess = true
},