I have a sample Auth server set up using Thinktecure.IdentityServer.v3 which also has the Thinktecture.IdentityManager plugged in. I am also using asp.net Identity and Entity Framework, so I have the associated plugins from Thinktecture wired up too. Relevant NuGet packages below
<package id="Thinktecture.IdentityManager" version="1.0.0-beta3" targetFramework="net451" />
<package id="Thinktecture.IdentityManager.AspNetIdentity" version="1.0.0-beta3" targetFramework="net451" />
<package id="Thinktecture.IdentityModel.Core" version="1.3.0" targetFramework="net451" />
<package id="Thinktecture.IdentityServer.v3" version="1.0.0-rc" targetFramework="net451" />
<package id="Thinktecture.IdentityServer.v3.AspNetIdentity" version="1.0.0-rc" targetFramework="net451" />
<package id="Thinktecture.IdentityServer.v3.EntityFramework" version="1.0.0-rc" targetFramework="net451" />
I have registered IdentityManager and IdentityServer as per the sample projects included in the IdentityServer samples repo.
I have created a user successfully using the IdentityManager and have created a role claim named 'Admin'. I have added the user to this role / claim.
Using the 'JavaScript Implicit Client' from the Clients sample, I am logging in via my Auth server with the correct credentials. I am challenged as I should be, then returned successfully to the client application with the identity token.
The JavaScript Implicit Client allows you to view the contents of your Identity token. There is no list of 'role' claims present in the token... which I understand as these claims are asp.net Identity specific.
My question really is... how do I include these role claims in an identity token?
Do I need to create a custom scope named 'roles', apply a ClaimsRule to return claims of type 'role' and then try and implement that ClaimsRule in a custom ClaimsProvider? If so, I haven't seen how we can implement a ClaimsRule correctly in any documentation.
The fact that asp.net Identity seems to be intended to be supported out-of-the-box after RTM... maybe there is an easier way?
If any additional information or samples of config are required, I can provide them :)
As it turns out... there is an easier way (and is provided out-of-the-box currently)
StandardScopes.Roles is provided as a predefined scope.
Add this to your Scopes collection and also to the ScopeRestrictions of your Client.
Now the client needs to add 'roles' to the scope parameter when requesting an id token.
This probably was very self explanatory but I missed it as it was not in the Samples repo (that I saw) or in any documentation. Hopefully this helps any other newbs having a poke round with this great product