How to add grant type into access token in IdentityServer4?
I need to know the client's grant type (or OAuth Flow type) in my API protected by IdentitySrever4, but not sure how to do that. I am assuming that I need to add the grant type to the access token. Can someone help me by pointing me to instructions/documentations or sample code?
UPDATE
Under standard IdentityServer4 EF model, my SQL Server data store has a ClientGrantTypes table and a ClientClaims table (see screenshot below). I am assuming that I need to create a ClientClaims record that ties into ClientGrantTypes. If it is SQL, you can just join the tables on ClientID, but how do you implement it here to get the Grant Type into access token?
It would be easier to find the answer if you explained the purpose for the requirement.
From my experience one common task is to distinguish authorization_code and client_credentials flow use for the same client, but that's easy: the second one does not contain user information (sub and sid claims).
Also don't forget about restricted auth flow combinations in Identityserver (for instance you can't allow both implicit and authorization_code flow for the same client), so one client is usually bound to the only user interactive flow.
Finally, the auth flow is generally not about API. It's only about interaction among IdP and Client. API usually use scopes as general information about clients, so... when you have two clients -- one with implicit grant and the other with authorization_code, you can distinguish which one is in use by setting different scopes.
Isn't that enough?
A check for a particular grant type could be performed in Identityserver the following way:
public class ExtendedClaimsService : DefaultClaimsService{
public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(
ClaimsPrincipal subject,
ResourceValidationResult resourceResult,
ValidatedRequest request)
{
var outputClaims = (await base.GetAccessTokenClaimsAsync(subject, resourceResult, request)).ToList();
//if (request.Secret.Type == "NoSecret") //this is more or less the same
if ((request as ValidatedTokenRequest)?.GrantType != "client_credentials")
{
//filter out server-side-only scopes here
//or add any custom claim you like
}
return outputClaims;
}
}
Registration: services.AddTransient<IClaimsService, ExtendedClaimsService>(); after services.AddIdentityServer() in your Startup
- Identityserver from duende behind caddy has http in the openid config
- How to send email id when calling identity server 4 to login
- IdentityServer token issuer claim missing port number in issued JWT token
- Identity Server 4 - Unable to authenticate user
- How to find out to use best flow in IdentityServer?
- Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
- Deploying .net Core 3 linux container on azure web app container with IdentityServer4 certification/http error
- Login to multiple Apps with IdentityServer4
- duende identity server 6.2 session managment
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- .net core 3.1 Google SSO Callback url not hit
- What are stored in PersistedGrant table for IdentityServer
- .NET 8 upgrade: OIDC correlation failure with IdentityServer4 on HTTP when using machine name instead of localhost
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication
- Error in configuring identity server. The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'
- In Identity Server 4, I have a User's identity but 0 Claims
- Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"
- Clarification on Identityserver 4 protecting API scopes with ApiResources
- Exchanging azure AD token with Identity server token
- IdentityServer4 and SSO
- Invalid_client using OpenIdConnect in client application
- "Key vault reference error" in azure web app configuration setting
- why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
- Identity Server 4 ASP.NET Quickstart 'refused connection'
- Bearer token not set as expected
- Setting up JWT authentication using the Identity Server and get access token
- ApiResource vs ApiScope vs IdentityResource
- C# .Net Core API Authorized route with Identity Server 4
- User.Identity.Name is null after local login
- Error with Identity Server and Client App