Accessing User Properties from HybridFlow Client & IdentityServer4
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
We have IdentityServer4 setup and we've created client apps based on HybridFlow and Javascript quickstarts. The ID server uses AspNetIdentity and I'm confused about how to get access to user properties that are NOT claims such as "AspNetUser>TwoFactorEnabled" on the client-side. I could look them up using the Sub claim but don't want to make that database round trip on every page access.
My OpenIdConnectAuthenticationOptions objects have these scopes defined
Scope = "api1 openid profile read write offline_access active_dir email"
Can IDS4 return "TwoFactorEnabled" as a claim or am I missing something simple? This is what some of our startup.cs code looks like:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "fake clientid",
ClientSecret = "fake secret",
Authority = _AuthConfig["BaseAddress"],
RedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/signin-oidc",
PostLogoutRedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/Home/SignOutCallback",
ResponseType = "code id_token",
Scope = "api1 openid profile read write offline_access active_dir email",
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
_AuthConfig["TokenEndpoint"],
"fake clientid",
"fake secret");
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient( (new Uri(_AuthConfig["UserInfoEndpoint"])).ToString() );
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
:
asp.net identityserver4
asked Nov 16 '18 at 17:35
CSharperCSharper
268
add a comment |
We have IdentityServer4 setup and we've created client apps based on HybridFlow and Javascript quickstarts. The ID server uses AspNetIdentity and I'm confused about how to get access to user properties that are NOT claims such as "AspNetUser>TwoFactorEnabled" on the client-side. I could look them up using the Sub claim but don't want to make that database round trip on every page access.
My OpenIdConnectAuthenticationOptions objects have these scopes defined
Scope = "api1 openid profile read write offline_access active_dir email"
Can IDS4 return "TwoFactorEnabled" as a claim or am I missing something simple? This is what some of our startup.cs code looks like:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "fake clientid",
ClientSecret = "fake secret",
Authority = _AuthConfig["BaseAddress"],
RedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/signin-oidc",
PostLogoutRedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/Home/SignOutCallback",
ResponseType = "code id_token",
Scope = "api1 openid profile read write offline_access active_dir email",
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
_AuthConfig["TokenEndpoint"],
"fake clientid",
"fake secret");
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient( (new Uri(_AuthConfig["UserInfoEndpoint"])).ToString() );
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
:
asp.net identityserver4
asked Nov 16 '18 at 17:35
CSharperCSharper
268
add a comment |
We have IdentityServer4 setup and we've created client apps based on HybridFlow and Javascript quickstarts. The ID server uses AspNetIdentity and I'm confused about how to get access to user properties that are NOT claims such as "AspNetUser>TwoFactorEnabled" on the client-side. I could look them up using the Sub claim but don't want to make that database round trip on every page access.
My OpenIdConnectAuthenticationOptions objects have these scopes defined
Scope = "api1 openid profile read write offline_access active_dir email"
Can IDS4 return "TwoFactorEnabled" as a claim or am I missing something simple? This is what some of our startup.cs code looks like:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "fake clientid",
ClientSecret = "fake secret",
Authority = _AuthConfig["BaseAddress"],
RedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/signin-oidc",
PostLogoutRedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/Home/SignOutCallback",
ResponseType = "code id_token",
Scope = "api1 openid profile read write offline_access active_dir email",
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
_AuthConfig["TokenEndpoint"],
"fake clientid",
"fake secret");
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient( (new Uri(_AuthConfig["UserInfoEndpoint"])).ToString() );
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
:
asp.net identityserver4
asked Nov 16 '18 at 17:35
CSharperCSharper
268
We have IdentityServer4 setup and we've created client apps based on HybridFlow and Javascript quickstarts. The ID server uses AspNetIdentity and I'm confused about how to get access to user properties that are NOT claims such as "AspNetUser>TwoFactorEnabled" on the client-side. I could look them up using the Sub claim but don't want to make that database round trip on every page access.
My OpenIdConnectAuthenticationOptions objects have these scopes defined
Scope = "api1 openid profile read write offline_access active_dir email"
Can IDS4 return "TwoFactorEnabled" as a claim or am I missing something simple? This is what some of our startup.cs code looks like:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "fake clientid",
ClientSecret = "fake secret",
Authority = _AuthConfig["BaseAddress"],
RedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/signin-oidc",
PostLogoutRedirectUri = _AuthConfig["ThisSiteBaseUrl"] + "/Home/SignOutCallback",
ResponseType = "code id_token",
Scope = "api1 openid profile read write offline_access active_dir email",
RequireHttpsMetadata = false,
TokenValidationParameters = new TokenValidationParameters()
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
_AuthConfig["TokenEndpoint"],
"fake clientid",
"fake secret");
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient( (new Uri(_AuthConfig["UserInfoEndpoint"])).ToString() );
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
:
asp.net identityserver4
asp.net identityserver4
asked Nov 16 '18 at 17:35
CSharperCSharper
268
asked Nov 16 '18 at 17:35
CSharperCSharper
268
asked Nov 16 '18 at 17:35
CSharperCSharper
268
asked Nov 16 '18 at 17:35
CSharperCSharper
268
asked Nov 16 '18 at 17:35
CSharperCSharper
268
268
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53342794%2faccessing-user-properties-from-hybridflow-client-identityserver4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53342794%2faccessing-user-properties-from-hybridflow-client-identityserver4%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
