IdentityServer4 icon indicating copy to clipboard operation
IdentityServer4 copied to clipboard
verified publisher icon IdentityServer

Role Not Include access_token in new version in net5.0

Open farshid3003 opened this issue 5 years ago • 2 comments

Hi, I have several IDS running but I update one of them to the latest version in net5.0 and role is not include access_token any more

installing nuget packages:

   <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="5.0.1" />
    <PackageReference Include="IdentityServer4.AspNetIdentity" Version="4.1.1" />
    <PackageReference Include="IdentityServer4.EntityFramework" Version="4.1.1" />
    <PackageReference Include="IdentityServer4.EntityFramework" Version="4.1.1" />

Client config:

response_type: 'id_token token',
scope: 'openid roles profile api_gateway',
redirect_uri: `${process.env.VUE_APP_ADMIN_ADDRESS}/callback.html`,
silent_redirect_uri: `${process.env.VUE_APP_ADMIN_ADRESS}/silent-renew.html`,

I have roles in Id_token and api does not authorize Id_token any more. previously I could use this when I had problem.

here are tokens:

Access Token

{
  "alg": "RS256",
  "kid": "C49BF6CF4B87872DB24E288C39F06D1E9F3440E5RS256",
  "typ": "at+jwt",
  "x5t": "xJv2z0uHhy2yTiiMOfBtHp80QOU"
}.{
  "nbf": 1608073377,
  "exp": 1608076977,
  "iss": "https://localhost:44310",
  "aud": "api_gateway",
  "client_id": "xxxx",
  "sub": "31914615-a193-45c0-bd60-c829ca11ff7a",
  "auth_time": 1608073376,
  "idp": "local",
  "sid": "CCB90B0BE4326EC44D02FC772947FB39",
  "iat": 1608073377,
  "scope": [
    "openid",
    "roles",
    "profile",
    "api_gateway"
  ],
  "amr": [
    "pwd"
  ]
}.[Signature]

and here is id_token

{
  "alg": "RS256",
  "kid": "C49BF6CF4B87872DB24E288C39F06D1E9F3440E5RS256",
  "typ": "JWT",
  "x5t": "xJv2z0uHhy2yTiiMOfBtHp80QOU"
}.{
  "nbf": 1608073377,
  "exp": 1608073677,
  "iss": "https://localhost:44310",
  "aud": "xxxxx",
  "nonce": "cb1ba8dd02af4caa92c113750616e2f2",
  "iat": 1608073377,
  "at_hash": "_uKrgwya12q1jl0Bne9YQw",
  "s_hash": "UCrd9pwu43r5IO9BDcP8eg",
  "sid": "CCB90B0BE4326EC44D02FC772947FB39",
  "sub": "31914615-a193-45c0-bd60-c829ca11ff7a",
  "auth_time": 1608073376,
  "idp": "local",
  "name": "my name",
  "role": [
    "admin",
    "provider"
  ],
  "preferred_username": "name",
  "amr": [
    "pwd"
  ]
}.[Signature]

Client allowed scopes:

email openid roles profile api_gateway

I have roles in identity resources and role as a clame of roles

this is the config that everytime worked for me but not this time. I tried implicit and also authorization_code flows but same result.

Best Regards, Farshid.

farshid3003 avatar Dec 15 '20 23:12 farshid3003

I tried email claimes as well. I didn't get it in access token too.

farshid3003 avatar Dec 15 '20 23:12 farshid3003

Not enough info. We'd need to see the scope definitions (and the associated user claims), and if you have a profile service configured.

brockallen avatar Dec 30 '20 19:12 brockallen