0

Please or Register to create posts and topics.

Permissions into Claims in Token

Please can you point me to where the permissions that a user has are added to the Token as Claims?  I can see where you add policies, and that those policies require the presence of certain permission claims.  But I can't figure out where the permissions are added as claims to the token when a user logs in.

Implementing the IProfileService gives us a way of manually picking what is included in the Token as Claims.

This is a feature of IdentityServer: http://docs.identityserver.io/en/release/reference/profileservice.html

In QuickApp all these happens from the GetProfileDataAsync(ProfileDataRequestContext context) of the IProfileService implementation (ProfileService.cs).

From this method we first get all the claims belonging to the user through: var claims = principal.Claims.ToList();
principal.Claims
is comprehensive and includes the permission claims as well as other claims we might not care about.
So we filter out only that which is allowed for the API: claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
(See IdentityServerConfig.GetApiResources() for the allowed resources for the API. Note that this includes ClaimConstants.Permission).

After that we manually add whatever custom claims that might not be part of the User's original Principal.Claims.

Note that NOT implementing IProfileService will leave us with only the fundamental claims.

So to answer your question, when it comes to claims everything happens in this method ConstantsProfileService.GetProfileDataAsync