How to get id_token along with access_token from identityserver4 via "password" grant

I am trying to build an identity provider application using identityserver4; Currently, I am using "Resource Owner Password Credentials" flow and it returns access_token and refresh_token from token endpoint.

Code Snippet for calling TokenEndpoint from Client

var tokenClient = new TokenClient(<TokenEndpoint>, <ClientId>, <ClientSecret>);           
var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(<UserName>, <password>, <Scopes>);

My Question is, How to get "id_token" along with "access_token" and "refresh_token" by using the same "Resource Owner Password Credentials" flow?

How do I use reference token in identityserver4?

When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.

What is Access_token Id_token?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

How to get token identity?

How to get an identity token. To get an identity token, you need to ask for the openid scope in your authorization request. This scope tells the identity provider that you want to use OpenID Connect and find out how the user authenticated.

Can I use ID token for authorization?

ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions.

How to get "id_token" along with "access_token" and "refresh_token" by using the same "Resource Owner Password Credentials" flow?

You don't.

In IdentityServer4, the Resource Owner Password Credentials flow provides only access tokens. If you also want an id token, then use the Authorization Code flow, the Implicit Code flow, or the Hybrid flow.

                                       access_token   id_token   refresh_token

Resource Owner Password Credentials        yes           -           yes

Authorization Code                         yes          yes          yes 

Implicit Flow                              yes          yes           -

Since you're wanting all three token types, and since you appear to be using server-side code, the Authorization Code flow fits best. Some kinds of Hybrid Flow will also work for you.

From the docs:

The OAuth 2.0 resource owner password grant allows a client to send username and password to the token service and get an access token back that represents that user.

From a GitHub issue:

OpenID Connect does not specify the resource owner flow - only interactive logons at the authorization server (like code or implicit flow). So [in other words,] no identity token - only access tokens.

How to get id_token along with access_token from identityserver4 via "password" grant_type?

Tags:

asp.net-core

openid-connect

identityserver4

codeninja.sj

People also ask

1 Answers

Shaun Luttin

Recent Activity

Donate For Us