I'd like to create a jwt token containing role=root using openiddict.
{
"aud": "audience_01",
"client_id": "client_01",
"role": "root",
"scope": "scope_01"
}
Here is the payload of the jwt token I am currently getting back. It does not contain the expected role=root:
{
"sub": "client_01",
"oi_prst": "client_01",
"client_id": "client_01",
"oi_tkn_id": "2179f976-89f3-49ba-bb86-cefa0523a627",
"aud": "audience_01",
"scope": "scope_01",
"jti": "fa97eaf2-4716-45fa-9f03-aab977873386",
"exp": 1701893995,
"iss": "https://localhost:22401/",
"iat": 1701807595
}
I'm using the following code:
[HttpPost("~/connect/token")]
public async ValueTask<IActionResult> Exchange()
{
//retrieve OIDC request from original request
var request = HttpContext.GetOpenIddictServerRequest() ??
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
if (request.IsClientCredentialsGrantType())
{
var clientId = request.ClientId;
var identity = new ClaimsIdentity(authenticationType: TokenValidationParameters.DefaultAuthenticationType,
nameType: Claims.Name,
roleType: Claims.Role
);
identity.AddClaim(Claims.Subject, clientId);
identity.AddClaim(Claims.Name, "claims_name");
identity.AddClaim(Claims.Role, "root");
identity.SetScopes(request.GetScopes());
identity.SetResources(await _scopeManager.ListResourcesAsync(identity.GetScopes()).ToListAsync());
var principal = new ClaimsPrincipal(identity);
// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
}
throw new NotImplementedException("The specified grant type is not implemented.");
}
Your claims don't have a destination attached so OpenIddict won't copy them to the access tokens it will produce based on your ClaimsPrincipal.
See https://documentation.openiddict.com/guides/getting-started.html for an example showing how to call SetDestinations().