IdentityServer4 How to access user email

I've inherited an existing project and I'm new to using IdentityServer4 so bear with me.

I'm getting a token with a GET request as follows:


Then we've tried retrieving the member information with the access_token provided by the response using it as a bearer token. Which seems to work, however here is the part I'm stuck on:

Inside the API the following code returns a GUID representing the logged in user instead of an email.

Claim cl = this.User.Claims.FirstOrDefault(x => x.Type == "sub");

What do I need to change to allow the sub to provide the email of the logged in user?

I've tried adding email or profile as you can see above to the scope that just yields entries in my list of claims with the name "scope" and value "email".


It seems like I need to update the scope when generating the token somehow. All the examples I see online use in memory settings where as I get settings from the database. When I call the userinfo endpoint on te API I am also only able to access the "sub" e.g.

    "sub": "xx"


  • On the IdentityServer side, in your Config class, when you are defining the allowed scopes, make sure it includes email like this:

     AllowedScopes = new List<string>

    Then on your client's side, on the startup class, you want to include the email in the scope as well (in your app.UseOpenIdConnectAuthentication method).

     Scope = "openid profile email",

    At that point, the email should be accessible when you step through your code on the client side in User.Identity.Claims.

    Now, if you want to go one step further, and use the email as the "UserID" when in your client application (instead of the Guid sub), then you can add the following to the app.UseOpenIdConnectAuthentication method on the client:

     TokenValidationParameters = {
          NameClaimType = "email"