IMPORTANT!
This forum is now archived. Click here for the New Support Forum
Permissions into Claims in Token
Quote from Shawn de Wet on February 20, 2018, 2:55 pmPlease can you point me to where the permissions that a user has are added to the Token as Claims? I can see where you add policies, and that those policies require the presence of certain permission claims. But I can't figure out where the permissions are added as claims to the token when a user logs in.
Please can you point me to where the permissions that a user has are added to the Token as Claims? I can see where you add policies, and that those policies require the presence of certain permission claims. But I can't figure out where the permissions are added as claims to the token when a user logs in.
Quote from Eben Monney on February 22, 2018, 6:26 amImplementing the IProfileService gives us a way of manually picking what is included in the Token as Claims.
This is a feature of IdentityServer: http://docs.identityserver.io/en/release/reference/profileservice.html
In QuickApp all these happens from the GetProfileDataAsync(ProfileDataRequestContext context) of the IProfileService implementation (ProfileService.cs).
From this method we first get all the claims belonging to the user through: var claims = principal.Claims.ToList();
principal.Claims is comprehensive and includes the permission claims as well as other claims we might not care about.
So we filter out only that which is allowed for the API: claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
(See IdentityServerConfig.GetApiResources() for the allowed resources for the API. Note that this includes ClaimConstants.Permission).After that we manually add whatever custom claims that might not be part of the User's original Principal.Claims.
Note that NOT implementing IProfileService will leave us with only the fundamental claims.
So to answer your question, when it comes to claims everything happens in this method ConstantsProfileService.GetProfileDataAsync
Implementing the IProfileService gives us a way of manually picking what is included in the Token as Claims.
This is a feature of IdentityServer: http://docs.identityserver.io/en/release/reference/profileservice.html
In QuickApp all these happens from the GetProfileDataAsync(ProfileDataRequestContext context) of the IProfileService implementation (ProfileService.cs).
From this method we first get all the claims belonging to the user through: var claims = principal.Claims.ToList();
principal.Claims is comprehensive and includes the permission claims as well as other claims we might not care about.
So we filter out only that which is allowed for the API: claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
(See IdentityServerConfig.GetApiResources() for the allowed resources for the API. Note that this includes ClaimConstants.Permission).
After that we manually add whatever custom claims that might not be part of the User's original Principal.Claims.
Note that NOT implementing IProfileService will leave us with only the fundamental claims.
So to answer your question, when it comes to claims everything happens in this method ConstantsProfileService.GetProfileDataAsync
IMPORTANT!
This forum is now archived. Click here for the New Support Forum