Is there a way to configure OpenIDDict to return additional fields in the payload for the introspect endpoint call? Curently it only is passing back the fields active,client_id,exp,iat,iss,jti,nbf,sub,token_type,token_usage.
I confirmed that the ~/connect/authorize endpoint principal has the email claim before calling "return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);"
I confirmed that the ~/connect/token endpoint principal also has the email claim before calling "return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);"
Because of the above two statements, I would assume that the opaque token would have the email in it. Shouldn't the introspect endpoint then contain the email information in the payload?
I want to provide an email value for a 3rd party resource server to be able to identify which user the access token was issued to.
Application claims - that are potentially very sensitive - are only returned by OpenIddict 3.0 if all the following conditions are met:
The claims are present in the access token. This means you have to assign them the "access_token" destination before calling SignIn.
The application sending the introspection request was explicitly listed as a resource when calling SignIn (i.e you called principal.SetResources("client_id of the API doing introspection")).
The API doing introspection was registered as a confidential client (i.e is forced to send a valid client_secret to be able to introspect a token).
If you want to customize the introspection response, you can use the events model API:
options.AddEventHandler<HandleIntrospectionRequestContext>(builder =>
{
builder.UseInlineHandler(context =>
{
context.Claims["key"] = 42;
return default;
});
builder.SetOrder(AttachApplicationClaims.Descriptor.Order + 1_000);
});