Identity Server 4 Extension Grant without a Subject

Question

I created a delegation extension grant the way they did in the docs. (https://identityserver4.readthedocs.io/en/latest/topics/extension_grants.html)

In the example, they get the user's identity from the claims and return the grant validation result like so:

var sub = result.Claims.FirstOrDefault(c => c.Type == "sub").Value;

context.Result = new GrantValidationResult(sub, GrantType);

My issue is that I don't always have a subject aka user identity when I need to utilize the delegation grant. In my scenario, I have an application listening to messages. When the app gets a message, it calls an API using client_credentials. That API then calls a sub API using the delegation grant type. Since the app is using client_credentials, there is no "sub" in the claims.

I tried checking if the "sub" claim exists and if not, set the subject of the GrantValidationResult to a "magical" guid which the IUserStore's FindByIdAsync would look for and either return null or a newed up empty TUser. In both cases, this causes Microsoft.AspNetCore.Identity to bomb futher down the pipeline.

How can I return a GrantValidationResult with the current claims, but not the subject when it doesn't exist?

Answer 1

I found this override for the GrantValidationResult.

// Summary:
//     Initializes a new instance of the IdentityServer4.Validation.GrantValidationResult
//     class with no subject. Warning: the resulting access token will only contain
//     the client identity.
public GrantValidationResult(Dictionary<string, object> customResponse = null);

Since I don't have any custom responses, if "sub" is null, then I do this:

context.Result = new GrantValidationResult(new Dictionary<string, object>());

Doing it this way still populates the claims with the requested/validated scopes.