IdentityServer4 appending client_ to claims

Question

I have an IdentityServer4 server setup and have defined a single client as such:

    public static IEnumerable<Client> Get()
    {
        return new List<Client> {
            new Client {
                ClientId = "oauthClient",
                ClientName = "Example Client Credentials Client Application",
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                ClientSecrets = new List<Secret> {
                    new Secret("superSecretPassword".Sha256())},
                AllowedScopes =     {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    "role",
                    "ControlCenter",
                    "CC.Send",
                },
                Claims = new List<System.Security.Claims.Claim>
                {
                    new System.Security.Claims.Claim("CEO","true"),
                    new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
                    new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
                },
                RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", "https://www.getpostman.com/oauth2/callback"},
                PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
            }
        };
    }

I am using postman to test this and I can get a Token at the /connect/token endpoint, but when I pass that token into the /connect/introspect endpoint it is returning:

{
    "nbf": 1505422619,
    "exp": 1505426219,
    "iss": "https://localhost:44357",
    "aud": [
        "https://localhost:44357/resources",
        "ControlCenter"
    ],
    "client_id": "oauthClient",
    "client_CEO": "true",
    "client_http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
        "CC.Send",
        "CEO"
    ],
    "scope": "CC.Send",
    "active": true
}

This was causing me trouble as I had secured my endpoint with:

        services.AddAuthorization(options =>
        {
            options.AddPolicy(
                "CanSendiSuiteProfiles",
                policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
        });

and due to the CEO <> client_CEO, it was returning an error 403. I can get around this pretty simply by looking for client_CEO but I would prefer to understand how client_ is being prepended to my claim.

Answer 1

These get automatically prefixed by IdentityServer4, but you can turn off the prefixing with the PrefixClientClaims = false (boolean property on the Client).

Here is the source code from the DefaultClaimService in IdentityServer4: https://github.com/IdentityServer/IdentityServer4/blob/295026919db5bec1b0c8f36fc89e8aeb4b5a0e3f/src/IdentityServer4/Services/DefaultClaimsService.cs

if (request.Client.PrefixClientClaims)
{
    claimType = "client_" + claimType;
}

UPDATE: From IdentityServer4 v.2 and above, property bool PrefixClientClaims was replaced by property string ClientClaimsPrefix which allows you to configure the prefix of your choice.

if (request.Client.ClientClaimsPrefix.IsPresent())
{
    claimType = request.Client.ClientClaimsPrefix + claimType;
}