TokenBased Security, OAuth, OIDC, IdentityServer – Part 5
In this article, we will cover how to work with user claims and the userInfo endpoint.
Join the DZone community and get the full member experience.Join For Free
In the previous post of this series, we saw different flows to get the token from IdentityServer and then pass those tokens as Authorization Headers in our HTTP Calls and the client application was able to get the data as expected.
Today, we will continue our journey and learn more about users and claims. So, if you are new to IdentityServer, I will suggest reading the previous posts in this series for some background information.
Earlier, we had set up a couple of Test users in IdentityServer (Config.cs file). Here is the part about that setup for one of the users:
Also, in the previous post, then make a REST call, and the following information was shown as result:
We are going to see that we are missing the given_name, family_name, Email, Role claims – from the result.
We can include these claims in the id_token but with too much information in the id_token, it can become quite large. So, we are going to get these claims in another way.
To work with claims, the following is a simple workflow:
- Setup IdentityResources for different claims.
- Configure Client for AllowedScope for the claims.
- Request Claims using Client from UserInfo endpoint
Setup Identity Resources
I also have updated the IdentityResources with the following:
Next thing is to configure the Client for the AllowedScopes as shown below (I am intentionally leaving out the Email scope for this client for now):
So, at this point, we have defined IdentityResources and AllowedScopes and We left out Email Scope in the Client configuration.
Next, we will create a new Controller method in IDPDemoApp.HttpClient project which will then call UserInfo endpoint on IdentityServer to get the claims information.
Returning Claims From userInfo Endpoint
The following code part is mostly the same we discussed in the previous post. So I won’t go into those details. Notice the Scope part, here we are requesting these scopes (here is left out role and email intentionally).
Once we get the token, we can then call the UserInfo endpoint as shown below:
and here is the output of this operation:
as you can see that we are not getting email and role claims information but we are getting profile and OpenID claims.
Requesting Role and Email Information
Let’s update the client configuration for AllowedScopes with Email scope (role scope is already there). So, the Client shall have scopes mentioned in its AllowedScopes property.
Next, Scope information in code can request those scopes:
With these configuration updates, REST call will now return the information as shown below:
In this post, we saw how to configure IdentityServer, Client AllowedScope, and The PasswordTokenRequest for the scopes to UserInfo Endpoint.
We will resume our learning in the next post in this series. You can download the source code from this git repository. Let me know if you have any comments or questions. Till next time, happy coding.
Published at DZone with permission of Jawad Hasan Shani. See the original article here.
Opinions expressed by DZone contributors are their own.