How to get application profile data into access token?

Question

I'm using IdentityServer4 with a mix of v4/v3 clients.

I have custom profile data that is store on the application side that I'd like to include in the access_token so that my downstream APIs can use this with bearer/jwt authenication.

I understand I can manipulate claims via IProfileService, but that is registered on the identity side, not the application.

How can I get my custom profile claims into the requested access token?

Additional Details

I've done a proof of concept using Extension Grants to specifically pass my application claims through the IdS so that it includes those in the token. It works...but feels pretty hacky.

Answer 1

You can not change jwt token content after being created and signed by authorization server. But you can use ClaimsTransformation to manipulate claims on the api project.

Edit: Another option to use JwtBearer OnTokenValidated event.

Answer 2

Any claims issued from your implementation of IProfileService should end up in the token. Note that your implementation of IProfileService should check if it is issuing claims related to IdentityResources or ApiResources. It would be a bit pointless adding api claims to an id_token.

When the client receives the token from you IDS, it will pass it in calls to your API. If your client is using cookie authentication, the tokens themselves as well as some user profile claims will be stored in the authentication cookie. This obviously depends on the flow your are using Implicit, Hybrid etc.

If you want to inspect what you get back from the IDS at the client you could add a Cookie Authentication Event handler (eg OnValidatePrincipal) to see whats stored in the cookie, or add an OnUserInformationReceived event handler to your OIDC handler and inspect what you get back in there.

Answer 3

Please do not do that. The JWT token is sent with every request.

if the downstream API needs something from the user, then either submit it with the call, or have an endpoing the downstream api can call. Embedding rarely used large inforamtion in someting transmitted every call (except in http 2.0) is a nonononono.