Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

oidc-client-js is not getting claims correctly from Identity Server 4

I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:

signin(e) {
    e.preventDefault();
    this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
        console.log("signed in", user.profile);
    }).catch(function(err) {
        console.log(err);
    });
} 

Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:

enter image description here

The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:

enter image description here

So how can I get hold of these claims in my Javascript code?

like image 340
Tom Troughton Avatar asked Mar 12 '18 08:03

Tom Troughton


People also ask

What is OIDC client JS?

Oidc-client-js is a javaScript Library to provide OpenID Connect (OIDC) and OAuth 2.0 protocol support for client-side, browser-based JavaScript client applications. Oidc-client-js included is support for user session and Access Token management.

What is OpenID claim?

OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.

What is authority OIDC?

OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application.


1 Answers

Those user claims are likely coming inside the ID Token. To make this work, check if you've got AlwaysIncludeUserClaimsInIdToken = true in your IDP Provider's Client configuration, like

        public static IEnumerable<Client> GetClients()
    {
        return new List<Client>()
        {
            new Client()
            {
                ClientName = "IDP Client",
                ClientId = "client",
                ClientSecrets = { new Secret("secret".Sha256()) },
                AllowedGrantTypes =  GrantTypes.Hybrid,
                RedirectUris = new List<string>()
                {
                    "http://localhost:60811/signin-oidc"
                },
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "myapi"
                },
                AlwaysIncludeUserClaimsInIdToken = true,
                AllowOfflineAccess = true
            },
like image 150
Alex Buyny Avatar answered Sep 20 '22 03:09

Alex Buyny