With IdentityServer 4 v4.0 and Asp.Net Core Identity 3.1 I get the claims after login:
sub: 1
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin
preferred_username: [email protected]
name: [email protected]
email: [email protected]
email_verified: true
amr: pwd
idp: local
auth_time: 1592937212
But in OIDC Client JS which I used to login I get:
sub: "1"
preferred_username: "[email protected]"
name: "[email protected]"
email: "[email protected]"
email_verified: true
amr: ["pwd"] (1)
idp: "local"
auth_time: 1592937212
claim is the email and not the user name?On the OIDC Client the settings are:
const settings : UserManagerSettings = {
automaticSilentRenew: true,
authority: this.environment.authAuthorityUrl,
client_id: 'spa',
filterProtocolClaims: true,
loadUserInfo: true,
post_logout_redirect_uri: this.environment.authPostLogoutRedirectUrl,
redirect_uri: this.environment.authRedirectUrl,
response_mode: 'query',
response_type: 'code',
scope: 'openid profile email offline_access api',
silent_redirect_uri: this.environment.authSilentRedirectUrl
On the ASP.NET Core 3.1 Startup I have:
And the IdentityConfiguration class is:
public class IdentityConfiguration {
public static List<ApiResource> GetApiResources() {
return new List<ApiResource> {
new ApiResource("api", "API Resource")
public static List<ApiScope> GetApiScopes() {
return new List<ApiScope> {
new ApiScope("api", "api")
public static List<IdentityResource> GetIdentityResources() {
return new List<IdentityResource> {
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email()
public static List<Client> GetClients(IConfiguration configuration) {
Settings settings = configuration.Get<Settings>();
return new List<Client> {
new Client {
ClientId = "spa",
ClientName = "SPA Client",
AllowAccessTokensViaBrowser = true,
AllowedGrantTypes = GrantTypes.Code,
AllowOfflineAccess = true,
RequireClientSecret = false,
RequireConsent = false,
RequirePkce = true,
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = 3600,
IdentityTokenLifetime = 360,
RefreshTokenUsage = TokenUsage.ReUse,
AlwaysSendClientClaims = true,
UpdateAccessTokenClaimsOnRefresh = true,
AlwaysIncludeUserClaimsInIdToken = true,
AllowedScopes = {
AllowedCorsOrigins = settings.Path.AllowedCorsOrigins,
PostLogoutRedirectUris = settings.Path.PostLogoutRedirectUris,
RedirectUris = settings.Path.RedirectUris
Update 1
I created the user using UserManager as follows:
var user = new User {
// User properties
var claims = new List<Claim> {
new Claim(ClaimTypes.Role, "Admin")
await userManager.CreateAsync(user, password);
foreach (var claim in claims)
await userManager.AddClaimAsync(user, claim);
I checked the database and the User is created and the Claim saved in UserClaims table.
Update 2
To include User's FullName I implemented IdentityService's IProfileService:
public class ProfileService : IProfileService {
protected UserManager<User> _userManager;
public ProfileService(UserManager<User> userManager) {
_userManager = userManager;
public async Task GetProfileDataAsync(ProfileDataRequestContext context) {
User user = await _userManager.GetUserAsync(context.Subject);
List<Claim> claims = new List<Claim> {
new Claim(JwtClaimTypes.Name, user.Name),
public async Task IsActiveAsync(IsActiveContext context) {
User user = await _userManager.GetUserAsync(context.Subject);
context.IsActive = (user != null) && user.IsActive;
This also does something strange. The server Claims are the same:
sub: 1
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin
preferred_username: [email protected]
name: [email protected]
email: [email protected]
email_verified: true
amr: pwd
idp: local
auth_time: 1592937212
And the Client claims become:
sub: 1
name: John Smith
amr: pwd
idp: local
auth_time: 1592937212
So the Server Claims don't get the Name changed and the Client Claims loose all the emails and preferred_username but get the correct Name.
The Role keeps showing on Server but not on Client.
by JwtClaimTypes.Role
In your ProfileService
constructor inject IUserClaimsPrincipalFactory
and apply the following changes to your GetProfileDataAsync()
private readonly IUserClaimsPrincipalFactory<User> _claimsFactory;
private readonly UserManager<User> _userManager;
public ProfileService(UserManager<User> userManager, IUserClaimsPrincipalFactory<IdentityUser> claimsFactory)
_userManager = userManager;
_claimsFactory = claimsFactory;
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
var sub = context.Subject.GetSubjectId();
var user = await _userManager.FindByIdAsync(sub);
var principal = await _claimsFactory.CreateAsync(user);
var claims = principal.Claims.ToList();
context.IssuedClaims = claims;