Search code examples

How to request User Info from IdentityServer4

I have a basic log-in flow using the ResourceOwnerPassword grant type. The user can log-in, have their password validated and gets a token that they can use to access the API. I'm now trying to pass a claim back to the client so that I can determine what kind of user I'm dealing with, but I'm getting an error that I believe to be an issue with the scope of the client (although I can't see what).

The code below is abridged to avoid pages and pages of code, but I believe it contains everything relevant. This is the identity server set-up:


The helper methods:

internal static IEnumerable<Client> GetClients()
    var clients = new List<Client>
        new Client
            ClientId = "MyClientApp",                    
            AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,                    
            ClientSecrets =
                new Secret("secret".Sha256())
            AllowedScopes =

internal static IEnumerable<IdentityResource> GetIdentityResources()
    return new List<IdentityResource> {
        new IdentityResource {
            Name = "Role",
            UserClaims = new List<string> { JwtClaimTypes.Role },


internal static List<TestUser> GetUsers()
    var users = new List<TestUser>
            new TestUser
                SubjectId = Guid.NewGuid(),
                Username = "user",
                Password = "pass",
                Claims = new List<Claim>()
                    new Claim(JwtClaimTypes.Role, "Role1")

The idea is to return Role1 to the client. Here's the client code:

_discoveryResponse = await _httpClient.GetDiscoveryDocumentAsync(new DiscoveryDocumentRequest
    Address = "https://localhost:5021",               
    Policy =
        ValidateIssuerName = false,

var response = await _httpClient.RequestPasswordTokenAsync(new PasswordTokenRequest
    Address = _discoveryResponse.TokenEndpoint,
    ClientId = "MyClientApp",
    ClientSecret = "secret",
    Scope = "openid Role myApi",
    UserName = username,
    Password = password

if (response.IsError)
    return false;  // When specifying openid, get invalid scope here

_accessToken = response.AccessToken;                                    

. . . 

var userInfo = await _httpClient.GetUserInfoAsync(new UserInfoRequest()
    Address = _discoveryResponse.UserInfoEndpoint,
    Token = _accessToken

// userInfo is returning "Forbidden" here.


When specifying openid in the scope, I get the following error in the Identity Server logs:

fail: IdentityServer4.Validation.ScopeValidator[0] Requested scope not allowed: openid


  • You need to add at least openid scope when you request a token. Changing code like below probably solves the problem.

    var clients = new List<Client>
        new Client
            ClientId = "MyClientApp",                    
            AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,                    
            ClientSecrets =
                new Secret("secret".Sha256())
            AllowedScopes =
    var response = await _httpClient.RequestPasswordTokenAsync(new PasswordTokenRequest
        Address = _discoveryResponse.TokenEndpoint,
        ClientId = "MyClientApp",
        ClientSecret = "secret",
        Scope = "openid Role myApi",
        UserName = username,
        Password = password

    You can see source code part from