Search code examples
c#.netasp.net-identityidentityserver3

How to create additional parameters for IdentityServer3 grant_type:password

I have IdentityServer3 spun up and working with AspNetIdentity and IdentityManager. I've created a JS client based on the samples for resource owner flow. My AspNetIdentity implementation is customized in a way as such the userstore has a foreign key to an organization table. The Organization table acts as a Tenant table because our IdentityServer and WebApi will be multi-tenant. When the user logs in, I need to pass into the request additional parameters that specify the user's tenant id. Once I get the tenant id I'll override the AuthenticateLocalAsync to look up the tenant information for the user.

I'm stuck on passing the additional tenant id or other parameters on the grant_type:password. I've tried to pass in the act_values array but I'm not sure I'm doing all this the correct way.

And any additional information on a good explanation of scopes, claims, roles, etc would be a big help because its all still fuzzy.

Here is the client on idsvr

            new Client
            {
                ClientId = "tleweb",
                ClientName = "TLE Web Client",
                ClientSecrets = new List<Secret>
                {
                    new Secret("secret".Sha256())
                },
                Enabled = true,
                Flow = Flows.ResourceOwner,
                RequireConsent = false,
                AllowRememberConsent = true,
                RedirectUris = new List<string>(){ "https://localhost:13048/account/signInCallback"},
                PostLogoutRedirectUris = new List<string>(){ "https://localhost:13048/"},
                AllowedScopes = new List<string>()
                {
                    Constants.StandardScopes.OpenId,
                    Constants.StandardScopes.Profile,
                    Constants.StandardScopes.Email,
                    "read",
                    "write",
                    "tenant_id"
                },
                AllowedCorsOrigins =  new List<string>
                {
                    "http://localhost:13048"
                },
                AccessTokenType=AccessTokenType.Jwt,
                AccessTokenLifetime = 3600,
                AbsoluteRefreshTokenLifetime = 86400,
                SlidingRefreshTokenLifetime = 43200,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                RefreshTokenExpiration = TokenExpiration.Sliding

            }

Here is the js client code

        function getToken() {
        var uid = document.getElementById("username").value;
        var pwd = document.getElementById("password").value;

        var xhr = new XMLHttpRequest();
        xhr.onload = function (e) {
            console.log(xhr.status);
            console.log(xhr.response);

            var response_data = JSON.parse(xhr.response);
            if (xhr.status === 200 && response_data.access_token) {
                token = response_data.access_token;
            }

            showToken(response_data);
        }
        xhr.open("POST", tokenUrl);
        var data = {
            username: uid,
            password: pwd,
            acr_values: ["1"],

            grant_type: "password",
            scope: "openid profile read write tenant_id"
        };
        var body = "";
        for (var key in data) {
            if (body.length) {
                body += "&";
            }
            body += key + "=";
            body += encodeURIComponent(data[key]);
        }
        xhr.setRequestHeader("Authorization", "Basic " + btoa(client_id + ":" + client_secret));
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.send(body);
    }
Solution

  • Found it! Use the acr_values parameter on the request

    https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html