I'm creating a Hosted Blazor WASM app that is connecting to a Duende IdentityServer app for authentication and authorization. The Blazor Server part is functioning as BFF.
The user is assigned a role and a role has permissions. I want to add those permissions as a claim so I can use it for authorization purposes in Blazor app. I'm adding the permissions in a "PermissionsClaimsPrincipalFactory". In the "PermissionClaimProfileService" I'm adding all claims off the user to the context.IssuedClaims.
When I click "Login" in the Blazor App, I'm redirected to the login page on the IdentityServer App. After login I'm redirected to Blazor and I see the claims assigned to my user. But the claims I add in my Profile Service are not shown on that page.
In my logs I can see that my Profile Service is returning all claims. But then I don't see them on the client side.
I've tried several things, but I don't see what I'm doing wrong.
This is what I see in the logs:
Profile service returned the following claim types: sub preferred_username name amr auth_time idp email AspNet.Identity.SecurityStamp http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier TenantKey Permissions email_verified
These are the claims shown in the browser:
amr
pwd
sid
5BB444DB7141399BFA6ED4D1A65B1AE6
sub
5c009dae-d118-44e1-9a46-c119dcc31ff9
auth_time
1662538078
idp
local
name
{Name}
email
{Email}
bff:logout_url
/bff/logout?sid=5BB444DB7141399BFA6ED4D1A65B1AE6
bff:session_expires_in
1209598
bff:session_state
EvCMn29HkOmdDzxlAqvwUGfj3u0DgxHCymQtn1tOw0U.4F818675DFBEC4B689B4E3159633443A
Blazor APP Uri: https://localhost:7111 IdentityServer Uri: https://localhost:7193
IdentityServer Client Configuration
"BlazorClient": {
"AlwaysSendClientClaims": true,
"ClientId": "app-blazor",
"ClientSecrets": [
"SuperSecretPassword"
],
"ClientName": "App",
"ClientUri": "https://localhost:7111/",
"AllowedGrantTypes": [
"authorization_code"
],
"AllowOfflineAccess": true,
"RedirectUris": [
"https://localhost:7111/signin-oidc"
],
"FrontChannelLogoutUri": "https://localhost:7111/signout-oidc",
"PostLogoutRedirectUris": [
"https://localhost:7111/signout-callback-oidc"
],
"AllowedScopes": [
"openid",
"profile",
"api1"
]
}
Identity Server Resources
public static IEnumerable<IdentityResource> IdentityResources =>
new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile()
};
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope("api1", "MyAPI")
};
Identity Server Profile Service
public class PermissionClaimProfileService : ProfileService<ApplicationUser>
{
public PermissionClaimProfileService(UserManager<ApplicationUser> userManager, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory,
ILogger<ProfileService<ApplicationUser>> logger) : base(userManager, claimsFactory, logger)
{
}
public override async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
await base.GetProfileDataAsync(context);
var existingClaims = context.IssuedClaims;
foreach(var claim in context.Subject.Claims)
{
if (!existingClaims.Select(c => c.Type).ToList().Contains(claim.Type))
existingClaims.Add(claim);
}
context.IssuedClaims = existingClaims.ToList();
}
}
Identity Server Claims Principal Factory
public class PermissionClaimsPrincipalFactory<TIdentityUser> : UserClaimsPrincipalFactory<TIdentityUser>
where TIdentityUser : IdentityUser
{
private readonly IClaimsCalculator _claimsCalculator;
/// <summary>
/// Needs UserManager and IdentityOptions, plus the two services to provide the permissions and dataKey
/// </summary>
/// <param name="userManager"></param>
/// <param name="optionsAccessor"></param>
/// <param name="claimsCalculator"></param>
public PermissionClaimsPrincipalFactory(UserManager<TIdentityUser> userManager, IOptions<IdentityOptions> optionsAccessor,
IClaimsCalculator claimsCalculator)
: base(userManager, optionsAccessor)
{
_claimsCalculator = claimsCalculator;
}
/// <summary>
/// This adds the permissions and, optionally, a multi-tenant DataKey to the claims
/// </summary>
/// <param name="user"></param>
/// <returns></returns>
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(TIdentityUser user)
{
var identity = await base.GenerateClaimsAsync(user);
var userId = identity.Claims.GetUserIdFromClaims();
var claims = await _claimsCalculator.GetClaimsForUser(userId);
identity.AddClaims(claims);
return identity;
}
}
IdentityServer Registration
services.AddScoped<IClaimsCalculator, ClaimsCalculator>();
services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, PermissionClaimsPrincipalFactory<ApplicationUser>>();
services
.AddIdentityServer(options =>
{
options.KeyManagement.Enabled = true;
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
// see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/
options.EmitStaticAudienceClaim = true;
})
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(Configuration.GetConnectionString("identityserver"), sql => sql.MigrationsAssembly(migrationsAssembly));
})
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder => builder.UseSqlServer(Configuration.GetConnectionString("identityserver"), sql => sql.MigrationsAssembly(migrationsAssembly));
options.EnableTokenCleanup = true;
options.TokenCleanupInterval = 1800;
})
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<PermissionClaimProfileService>();
Blazor Server Startup Code
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
var configuration = builder.Configuration;
builder.Services.AddControllersWithViews();
builder.Services.AddRazorPages();
builder.Services.AddBff();
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
options.DefaultSignOutScheme = "oidc";
})
.AddCookie("cookie", options =>
{
options.Cookie.Name = "__Host-blazor";
options.Cookie.SameSite = SameSiteMode.Strict;
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = configuration.GetValue<string>("IdentityServer:Authority");
options.ClientId = configuration.GetValue<string>("IdentityServer:ClientId");
options.ClientSecret = configuration.GetValue<string>("IdentityServer:ClientSecret");
options.ResponseType = "code";
options.ResponseMode = "query";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("api1");
options.MapInboundClaims = false;
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseWebAssemblyDebugging();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseBlazorFrameworkFiles();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseBff();
app.UseAuthorization();
app.MapBffManagementEndpoints();
app.MapRazorPages();
app.MapControllers();
app.MapFallbackToFile("index.html");
app.Run();
}
Blazor Client Show Claims
<AuthorizeView>
<Authorized>
<dl>
@foreach (var claim in @context.User.Claims)
{
<dt>@claim.Type</dt>
<dd>@claim.Value</dd>
}
</dl>
@if(context.User.HasPermission(Permissions.CompanyProfile_ManagePermissions)){
<p>User has permissions to manage permissions for company profile</p>
}
@if (context.User.HasPermission(Permissions.Property_Read))
{
<p>User has permissions to read properties</p>
}
</Authorized>
<NotAuthorized>
<h3>No session</h3>
</NotAuthorized>
</AuthorizeView>
Via the related answers for this question I've found the solution for me. At least I get the claims now...
This answer led me to it: Custom Claims are not being accessed in client with identityserver 4 .Net core 2.0
AlwaysIncludeUserClaimsInIdToken = true