I'm using Identity Server 4 and Implicit grant type. I have a SPA which makes authorization request to IS4 with response_type: 'id_token token'.
I have a simple implementation of IProfileService with GetProfileDataAsync method:
public virtual Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.AddRequestedClaims(context.Subject.Claims);
context.IssuedClaims.Add(new Claim("custom1", "custom1"));
context.IssuedClaims.Add(new Claim("custom2", "custom2"));
return Task.CompletedTask;
}
And it works OK; I receive an access_token and an id_token. But they both contain my custom claims.
How can I include in access_token only "custom1" claim, but in id_token both "custom1" and "custom2" claims?
Ok, thanks to Ruard van Elburg, I was able to do it. Correct answer is:
And code:
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
context.AddRequestedClaims(context.Subject.Claims);
// Add claims to access token
if (context.Caller == "ClaimsProviderAccessToken")
{
context.IssuedClaims.Add(new Claim("custom1", "custom1"));
}
// Add identity token claims
if (context.Caller == "ClaimsProviderIdentityToken")
{
context.IssuedClaims.Add(new Claim("custom1", "custom1"));
context.IssuedClaims.Add(new Claim("custom2", "custom2"));
}
// Add userinfo endpoint claims
if (context.Caller == "UserInfoEndpoint")
{
context.IssuedClaims.Add(new Claim("custom1", "custom1"));
context.IssuedClaims.Add(new Claim("custom2", "custom2"));
}
return Task.CompletedTask;
}