public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request) { var claims = await base.GetAccessTokenClaimsAsync(subject, client, scopes, request); var newClaims = claims.ToList(); newClaims.Add(subject.FindFirst("account_store")); return newClaims; }
/// <summary> /// Returns claims for an identity token /// </summary> /// <param name="subject">The subject</param> /// <param name="client">The client</param> /// <param name="scopes">The requested scopes</param> /// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param> /// <param name="request">The raw request</param> /// <returns> /// Claims for the identity token /// </returns> public virtual async Task<IEnumerable<Claim>> GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, bool includeAllIdentityClaims, ValidatedRequest request) { Logger.Info("Getting claims for identity token for subject: " + subject.GetSubjectId()); var outputClaims = new List<Claim>(GetStandardSubjectClaims(subject)); outputClaims.AddRange(GetOptionalClaims(subject)); var additionalClaims = new List<string>(); // if a include all claims rule exists, call the user service without a claims filter if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity)) { Logger.Info("All claims rule found - emitting all claims for user."); var claims = await _users.GetProfileDataAsync(subject); if (claims != null) { outputClaims.AddRange(claims); } return outputClaims; } // fetch all identity claims that need to go into the id token foreach (var scope in scopes) { if (scope.Type == ScopeType.Identity) { foreach (var scopeClaim in scope.Claims) { if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken) { additionalClaims.Add(scopeClaim.Name); } } } } if (additionalClaims.Count > 0) { var claims = await _users.GetProfileDataAsync(subject, additionalClaims); if (claims != null) { outputClaims.AddRange(claims); } } return outputClaims; }
/// <summary> /// Returns claims for an identity token. /// </summary> /// <param name="subject">The subject.</param> /// <param name="client">The client.</param> /// <param name="scopes">The requested scopes.</param> /// <param name="request">The raw request.</param> /// <returns> /// Claims for the access token /// </returns> public virtual async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request) { Logger.Debug("Getting claims for access token"); var outputClaims = new List<Claim> { new Claim(Constants.ClaimTypes.ClientId, client.ClientId), }; foreach (var scope in scopes) { outputClaims.Add(new Claim(Constants.ClaimTypes.Scope, scope.Name)); } if (subject != null) { outputClaims.AddRange(GetStandardSubjectClaims(subject)); // if a include all claims rule exists, call the user service without a claims filter if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource)) { var claims = await _users.GetProfileDataAsync(subject); if (claims != null) { outputClaims.AddRange(claims); } return outputClaims; } // fetch all resource claims that need to go into the id token var additionalClaims = new List<string>(); foreach (var scope in scopes) { if (scope.Type == ScopeType.Resource) { if (scope.Claims != null) { foreach (var scopeClaim in scope.Claims) { additionalClaims.Add(scopeClaim.Name); } } } } if (additionalClaims.Count > 0) { var claims = await _users.GetProfileDataAsync(subject, additionalClaims.Distinct()); if (claims != null) { outputClaims.AddRange(claims); } } } return outputClaims; }
/// <summary> /// Returns claims for an identity token. /// </summary> /// <param name="subject">The subject.</param> /// <param name="client">The client.</param> /// <param name="scopes">The requested scopes.</param> /// <param name="request">The raw request.</param> /// <returns> /// Claims for the access token /// </returns> public virtual async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request) { // add client_id var outputClaims = new List<Claim> { new Claim(Constants.ClaimTypes.ClientId, client.ClientId), }; // check for client claims if (client.Claims != null && client.Claims.Any()) { if (subject == null || client.AlwaysSendClientClaims) { foreach (var claim in client.Claims) { var claimType = claim.Type; if (client.PrefixClientClaims) { claimType = "client_" + claimType; } outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType)); } } } // add scopes foreach (var scope in scopes) { outputClaims.Add(new Claim(Constants.ClaimTypes.Scope, scope.Name)); } // a user is involved if (subject != null) { outputClaims.AddRange(GetStandardSubjectClaims(subject)); outputClaims.AddRange(GetOptionalClaims(subject)); // if a include all claims rule exists, call the user service without a claims filter if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource)) { var claims = await _users.GetProfileDataAsync(subject); if (claims != null) { outputClaims.AddRange(claims); } return outputClaims; } // fetch all resource claims that need to go into the id token var additionalClaims = new List<string>(); foreach (var scope in scopes) { if (scope.Type == ScopeType.Resource) { if (scope.Claims != null) { foreach (var scopeClaim in scope.Claims) { additionalClaims.Add(scopeClaim.Name); } } } } if (additionalClaims.Count > 0) { var claims = await _users.GetProfileDataAsync(subject, additionalClaims.Distinct()); if (claims != null) { outputClaims.AddRange(claims); } } } return outputClaims; }
/// <summary> /// Returns claims for an identity token /// </summary> /// <param name="subject">The subject</param> /// <param name="client">The client</param> /// <param name="scopes">The requested scopes</param> /// <param name="includeAllIdentityClaims">Specifies if all claims should be included in the token, or if the userinfo endpoint can be used to retrieve them</param> /// <param name="request">The raw request</param> /// <returns> /// Claims for the identity token /// </returns> public virtual async Task <IEnumerable <Claim> > GetIdentityTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable <Scope> scopes, bool includeAllIdentityClaims, Thinktecture.IdentityServer.Core.Validation.ValidatedRequest request) { Logger.Info("Getting claims for identity token for subject: " + subject.GetSubjectId()); var outputClaims = new List <Claim>(GetStandardSubjectClaims(subject)); outputClaims.AddRange(GetOptionalClaims(subject)); var additionalClaims = new List <string>(); //// if a include all claims rule exists, call the user service without a claims filter //if (scopes.IncludesAllClaimsForUserRule(ScopeType.Identity)) //{ // Logger.Info("All claims rule found - emitting all claims for user."); // var claims = await _users.GetProfileDataAsync(subject); // if (claims != null) // { // outputClaims.AddRange(claims); // } // return outputClaims; //} // fetch all identity claims that need to go into the id token foreach (var scope in scopes) { if (scope.Type == ScopeType.Identity) { foreach (var scopeClaim in scope.Claims) { if (includeAllIdentityClaims || scopeClaim.AlwaysIncludeInIdToken) { additionalClaims.Add(scopeClaim.Name); } } } } if (additionalClaims.Count > 0) { var claims = await _users.GetProfileDataAsync(subject, additionalClaims); if (claims != null) { outputClaims.AddRange(claims); } } // Code here gets all our custom claims outputClaims.AddRange(GetUserClaims(subject)); return(outputClaims); }
/// <summary> /// Returns claims for an identity token. /// </summary> /// <param name="subject">The subject.</param> /// <param name="client">The client.</param> /// <param name="scopes">The requested scopes.</param> /// <param name="request">The raw request.</param> /// <returns> /// Claims for the access token /// </returns> /// public virtual async Task <IEnumerable <Claim> > GetAccessTokenClaimsAsync(System.Security.Claims.ClaimsPrincipal subject, Thinktecture.IdentityServer.Core.Models.Client client, IEnumerable <Thinktecture.IdentityServer.Core.Models.Scope> scopes, Thinktecture.IdentityServer.Core.Validation.ValidatedRequest request) { // add client_id var outputClaims = new List <Claim> { new Claim(Constants.ClaimTypes.ClientId, client.ClientId), }; // check for client claims if (client.Claims != null && client.Claims.Any()) { if (subject == null || client.AlwaysSendClientClaims) { foreach (var claim in client.Claims) { var claimType = claim.Type; if (client.PrefixClientClaims) { claimType = "client_" + claimType; } outputClaims.Add(new Claim(claimType, claim.Value, claim.ValueType)); } } } // add scopes foreach (var scope in scopes) { outputClaims.Add(new Claim(Constants.ClaimTypes.Scope, scope.Name)); } // a user is involved if (subject != null) { outputClaims.AddRange(GetStandardSubjectClaims(subject)); outputClaims.AddRange(GetOptionalClaims(subject)); // if a include all claims rule exists, call the user service without a claims filter if (scopes.IncludesAllClaimsForUserRule(ScopeType.Resource)) { var claims = await _users.GetProfileDataAsync(subject); if (claims != null) { outputClaims.AddRange(claims); } return(outputClaims); } // fetch all resource claims that need to go into the id token var additionalClaims = new List <string>(); foreach (var scope in scopes) { if (scope.Type == ScopeType.Resource) { if (scope.Claims != null) { foreach (var scopeClaim in scope.Claims) { additionalClaims.Add(scopeClaim.Name); } } } } if (additionalClaims.Count > 0) { var claims = await _users.GetProfileDataAsync(subject, additionalClaims.Distinct()); if (claims != null) { outputClaims.AddRange(claims); } } } outputClaims.AddRange(GetUserClaims(subject)); return(outputClaims); }