Menu
I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this:
signin(e) {
e.preventDefault();
this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) {
console.log("signed in", user.profile);
}).catch(function(err) {
console.log(err);
});
}
Authentication appears to work fine - I'm redirected to my Identity Server which accepts the client request, authenticates my sign in and returns me to the client app. However, the docs say that user.profile object in the above code should contain the user claims but it doesn't. This is the use.profile I get back:
The sub property is the correct ID of the user just authenticated. But my Identity Server also issued claims in response to the other scopes my client requested (profile and email) so I should be seeing claims such as name, preferred_username, email etc). I can observe these claims being issued when debugging my IProfileService implementation in IS4. Furthermore, if I use the access_token returned with the user object to make a request to another API running locally (an ASP.NET Web API) I do see these claims in this.User.Claims:
So how can I get hold of these claims in my Javascript code?
340
Oidc-client-js is a javaScript Library to provide OpenID Connect (OIDC) and OAuth 2.0 protocol support for client-side, browser-based JavaScript client applications. Oidc-client-js included is support for user session and Access Token management.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.
OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application.
Those user claims are likely coming inside the ID Token. To make this work, check if you've got AlwaysIncludeUserClaimsInIdToken = true in your IDP Provider's Client configuration, like
public static IEnumerable<Client> GetClients()
{
return new List<Client>()
{
new Client()
{
ClientName = "IDP Client",
ClientId = "client",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Hybrid,
RedirectUris = new List<string>()
{
"http://localhost:60811/signin-oidc"
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"myapi"
},
AlwaysIncludeUserClaimsInIdToken = true,
AllowOfflineAccess = true
},
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
