I am having trouble getting IdentityServer to return any claims on a resource scope. I define the resource scope as:
private static Scope Roles
{
get
{
return new Scope
{
Name = "roles",
DisplayName = "Roles",
Type = ScopeType.Identity,
Claims = new List<ScopeClaim>
{
new ScopeClaim(SecurityContants.ClaimTypes.Role)
}
};
}
}
private static Scope Api
{
get
{
return new Scope
{
Name = "api",
DisplayName = "Api",
IncludeAllClaimsForUser = true,
//i've also tried adding the claim directly
Type = ScopeType.Resource,
Emphasize = false
};
}
}
Then they're added to a collection and handed back. In my API Startup.cs, I configure owin like:
public void Configuration (IAppBuilder app)
{
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseIdentityServerBearerTokenAuthentication(
new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "http://localhost/security.tokenserver.site",
RequiredScopes = new[] { "api", "roles" },
RoleClaimType = "roles"
});
var config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
app.UseWebApi(config);
}
}
My API endpoint is simply:
public IEnumerable<string> Get()
{
var user = User as ClaimsPrincipal;
var claims = new List<string>();
foreach (var item in user.Claims)
{
claims.Add(item.Value);
}
return claims;
}
The output of this, when called from my UI after authenticating is:
[ "customer_svc", "api", "https://idsrv3/embedded", "https://idsrv3/embedded/resources", "1448048492", "1448044892" ]
So the initial login at the UI works (i see the roles claim there), retrieving the token works, and handing the token up to the API works. But I cannot see the user's roles after the token is handed back up to the API.
What am I missing?