oauth-2.0 discord identityserver4 openid-connect

.NET IdentityServer4 OpenIdConnect with Discord

I'm trying to cut my teeth with IdentityServer and have been following the guides on readthedocs closely. I'm at the point of adding external identity providers and have added all the ones I want to support to the IdentityServer project.

I specifically want to include "guilds" from Discord then do role based authorization in my web app based on the roles a user has on a specific Guild. Discord lists the various Scopes that are allowed:

So I've included the AspNet.Security.OAuth.Discord package and added an IdentityResource for guilds:

public static class AuthConfig
{
    public static IEnumerable<IdentityResource> IdentityResources =>
        new List<IdentityResource>
        { 
            new IdentityResources.OpenId(),
            new IdentityResources.Address(),
            new IdentityResources.Email(),
            new IdentityResources.Profile(),
            new  IdentityResource()
            {
                Name = "guilds",
                DisplayName = "Discord Guilds",
                Description = "All of the Discord Guilds the user belongs to",
                Required = true,
                Emphasize = true,
                UserClaims = new[] { "name" } // <<< Not sure how I find the claims on the discord api doco
            }
        };

    .
    .
    .
}

This then allows me to add scopes to my discord options in the startup of my IdentityServer project:

public void ConfigureServices(IServiceCollection services)
{
    // uncomment, if you want to add an MVC-based UI
    services.AddControllersWithViews();

    services.AddAuthentication()
        .AddDiscord("Discord", options =>
        {
            options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
            options.ClientId = "<my client id>";
            options.ClientSecret = "<my client secret>";
            options.Scope.Add("guilds");
        })

When I login the uri has the guild scope added and I get the warning on the acknowlegement dialog:

But when I view the content of my claims I don't see anything. If I add a standard oidc one of email that does display though.

If I follow through to the definition of IdentityResources.Email then I see these claims defined on the ScopeToClaimsMapping property in IdentityServer4.Constants

but I'm not sure how to determine what these claims should be for the Discord guilds scope...and is this even the issue anyway.

Can anyone point me in the right direction?

Solution

Claims and Scopes are different but related things.

An scope is a claim, it talks about the scope of your access.

When you request the "guild" scope, it means your token will be able to access the information under that scope. But that doesn't necessarily mean that information is going to be presented in a claim on the token or user_info response.

Instead, what you need to do to get the "guilds" information is to consume their API, using the token.

Discord Developer Portal - Guilds

Get Current User Guilds
GET /users/@me/guilds

Returns a list of partial guild objects the current user is a member of.

Requires the guilds OAuth2 scope.