Introduction
In previous post of this series, we saw different flows to get the token from IdentityServer and then pass those token as Authorization Headers in our HTTP Calls and client application was able to get the data as expected.
Today, we will continue our journey and learn more about users and claims. So, if you are new to IdentityServer, I will suggest to read the previous posts in this series for some background information.
Test Users
Earlier, we had setup couple of Test users in IdentityServer (Config.cs file). Here is the part about that setup for one of the user:
Also, in previous post, when make a REST call and following information was shown as result:
We are going to see that we are missing the given_name, family_name, Email, Role claims – from the result.
We can include these claims in the id_token but with too much information in the id_token, it can become quite large. So, we are going to get these claims in another way.
To work with claims, following is a simple workflow:
- Setup IdentityResources for different claims.
- Configure Client for AllowedScope for the claims.
- Request Claims using Client from UserInfo endpoint
Setup Identity Resources
I also have updated the IdentityResources with following:
Configure Client
Next thing is to configure Client for the AllowedScopes as shown below (I am intentionally leaving out Email scope for this client for now):
So, at this point, we have defined IdentityResources and AllowedScopes and We left out Email Scope in Client configuration.
Next, we will create a new Controller method in IDPDemoApp.HttpClient project which will then call UserInfo endpoint on IdentityServer to get the claims information.
Returning Claims from UserInfo Endpoint
Following code part is mostly same we discussed in previous post. So I won’t go into those details. Notice the Scope part, here we are requesting these scopes (here is left out role and email intentionally).
Once we get the token, we can then call UserInfo endpoint as shown below:
and here is the output of this operation:
as you can see that we are not getting email and role claims information but we are getting profile and openid claims.
Requesting Role and Email Information
Let’s update the client configuration for AllowedScopes with Email scope (role scope is already there). So, Client shall have scopes mentioned in its AllowedScopes property.
Next, Scope information in code can request those scopes:
With these configuration updates, REST call will now return the information as shown below:
Summary
In this post, we saw how to configure IdentityServer, Client AllowedScope and The PasswordTokenRequest for the scopes to UserInfo Endpoint.
We will resume our learning in next post in this series. You can download the source code from this git repository. Let me know, if you have some comments or questions. Till next time, happy coding.
1 thought on “TokenBased Security, OAUTH, OIDC, IdentityServer – Part 5”
Comments are closed.