Id token does not contain email when email scope is requested

0

I have an identity server 4 application and I have added to the email scope [IdentityResources] table in the database. I have also added the email scope to the client that i am using with my client application.

The client application is now prompting the user for email scope consent after login.

I can also see that its there in the UserClaimsPrincipalFactory

protected override async Task

GenerateClaimsAsync(ApplicationUser user)

        {

            var identity = await base.GenerateClaimsAsync(user);

            if (user.IsXenaSupporter)

                identity.AddClaim(new Claim("Supporter", user.Id.ToString()));

            return identity;

        }

Identity does contain email. Yet when the Id token and access token are returned to the application neither contain an email. Nor is there an email when i reqeust it from the user info end point.

What do I need to do to populate email address in the claims when the application requests the email scope? Also my custom supporter claim is also not being added

c# asp.net-core asp.net-identity identityserver4

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

add a comment | 

0

I have an identity server 4 application and I have added to the email scope [IdentityResources] table in the database. I have also added the email scope to the client that i am using with my client application.

The client application is now prompting the user for email scope consent after login.

I can also see that its there in the UserClaimsPrincipalFactory

protected override async Task

GenerateClaimsAsync(ApplicationUser user)

        {

            var identity = await base.GenerateClaimsAsync(user);

            if (user.IsXenaSupporter)

                identity.AddClaim(new Claim("Supporter", user.Id.ToString()));

            return identity;

        }

Identity does contain email. Yet when the Id token and access token are returned to the application neither contain an email. Nor is there an email when i reqeust it from the user info end point.

What do I need to do to populate email address in the claims when the application requests the email scope? Also my custom supporter claim is also not being added

c# asp.net-core asp.net-identity identityserver4

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

add a comment | 

0

0

0

I have an identity server 4 application and I have added to the email scope [IdentityResources] table in the database. I have also added the email scope to the client that i am using with my client application.

The client application is now prompting the user for email scope consent after login.

I can also see that its there in the UserClaimsPrincipalFactory

protected override async Task

GenerateClaimsAsync(ApplicationUser user)

        {

            var identity = await base.GenerateClaimsAsync(user);

            if (user.IsXenaSupporter)

                identity.AddClaim(new Claim("Supporter", user.Id.ToString()));

            return identity;

        }

Identity does contain email. Yet when the Id token and access token are returned to the application neither contain an email. Nor is there an email when i reqeust it from the user info end point.

What do I need to do to populate email address in the claims when the application requests the email scope? Also my custom supporter claim is also not being added

c# asp.net-core asp.net-identity identityserver4

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

I have an identity server 4 application and I have added to the email scope [IdentityResources] table in the database. I have also added the email scope to the client that i am using with my client application.

The client application is now prompting the user for email scope consent after login.

I can also see that its there in the UserClaimsPrincipalFactory

protected override async Task

GenerateClaimsAsync(ApplicationUser user)

        {

            var identity = await base.GenerateClaimsAsync(user);

            if (user.IsXenaSupporter)

                identity.AddClaim(new Claim("Supporter", user.Id.ToString()));

            return identity;

        }

Identity does contain email. Yet when the Id token and access token are returned to the application neither contain an email. Nor is there an email when i reqeust it from the user info end point.

What do I need to do to populate email address in the claims when the application requests the email scope? Also my custom supporter claim is also not being added

c# asp.net-core asp.net-identity identityserver4

c# asp.net-core asp.net-identity identityserver4

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

share|improve this question

share|improve this question

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

asked Nov 22 '18 at 13:44

DaImToDaImTo

45.7k1163245

45.7k1163245

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

0

The simple fact that the client application is prompting you for the email scope only means, that the scope was allowed in IdentityServer and requested on the client end but not necessarily that this information is being retrieved.

The magic is in the GetProfileDataAsync method of your IProfileService implementation.

This profile service is where you retrieve whatever claims you'd like and add them to the ProfileDataRequestContext.

public Task GetProfileDataAsync(ProfileDataRequestContext context)

{

    var subjectId = context.Subject.GetSubjectId();

    Guid.TryParse(subjectId, out Guid g);



    //whatever way or wherever you retrieve the claims from

    var claimsForUser = idRepo.GetUserClaimsBySubjectId(g);



    context.IssuedClaims = claimsForUser.Select(c => 

        new Claim(c.ClaimType, c.ClaimValue)).ToList();



    return Task.FromResult(0);

}

As explained here, an id token should pretty much only have a sub claim - that's what the userinfo endpoint is for.

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

add a comment | 

0

The problem was that i had only added it to the [IdentityResources] table.

This simply defines the different scopes. But it doesn't actually assign any data.

To do that i needed to add it to the [IdentityClaims] table.

As soon as i did this the data started being returned in the claims.

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53432356%2fid-token-does-not-contain-email-when-email-scope-is-requested%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

0

The simple fact that the client application is prompting you for the email scope only means, that the scope was allowed in IdentityServer and requested on the client end but not necessarily that this information is being retrieved.

The magic is in the GetProfileDataAsync method of your IProfileService implementation.

This profile service is where you retrieve whatever claims you'd like and add them to the ProfileDataRequestContext.

public Task GetProfileDataAsync(ProfileDataRequestContext context)

{

    var subjectId = context.Subject.GetSubjectId();

    Guid.TryParse(subjectId, out Guid g);



    //whatever way or wherever you retrieve the claims from

    var claimsForUser = idRepo.GetUserClaimsBySubjectId(g);



    context.IssuedClaims = claimsForUser.Select(c => 

        new Claim(c.ClaimType, c.ClaimValue)).ToList();



    return Task.FromResult(0);

}

As explained here, an id token should pretty much only have a sub claim - that's what the userinfo endpoint is for.

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

add a comment | 

0

The simple fact that the client application is prompting you for the email scope only means, that the scope was allowed in IdentityServer and requested on the client end but not necessarily that this information is being retrieved.

The magic is in the GetProfileDataAsync method of your IProfileService implementation.

This profile service is where you retrieve whatever claims you'd like and add them to the ProfileDataRequestContext.

public Task GetProfileDataAsync(ProfileDataRequestContext context)

{

    var subjectId = context.Subject.GetSubjectId();

    Guid.TryParse(subjectId, out Guid g);



    //whatever way or wherever you retrieve the claims from

    var claimsForUser = idRepo.GetUserClaimsBySubjectId(g);



    context.IssuedClaims = claimsForUser.Select(c => 

        new Claim(c.ClaimType, c.ClaimValue)).ToList();



    return Task.FromResult(0);

}

As explained here, an id token should pretty much only have a sub claim - that's what the userinfo endpoint is for.

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

add a comment | 

0

0

0

The simple fact that the client application is prompting you for the email scope only means, that the scope was allowed in IdentityServer and requested on the client end but not necessarily that this information is being retrieved.

The magic is in the GetProfileDataAsync method of your IProfileService implementation.

This profile service is where you retrieve whatever claims you'd like and add them to the ProfileDataRequestContext.

public Task GetProfileDataAsync(ProfileDataRequestContext context)

{

    var subjectId = context.Subject.GetSubjectId();

    Guid.TryParse(subjectId, out Guid g);



    //whatever way or wherever you retrieve the claims from

    var claimsForUser = idRepo.GetUserClaimsBySubjectId(g);



    context.IssuedClaims = claimsForUser.Select(c => 

        new Claim(c.ClaimType, c.ClaimValue)).ToList();



    return Task.FromResult(0);

}

As explained here, an id token should pretty much only have a sub claim - that's what the userinfo endpoint is for.

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

The simple fact that the client application is prompting you for the email scope only means, that the scope was allowed in IdentityServer and requested on the client end but not necessarily that this information is being retrieved.

The magic is in the GetProfileDataAsync method of your IProfileService implementation.

This profile service is where you retrieve whatever claims you'd like and add them to the ProfileDataRequestContext.

public Task GetProfileDataAsync(ProfileDataRequestContext context)

{

    var subjectId = context.Subject.GetSubjectId();

    Guid.TryParse(subjectId, out Guid g);



    //whatever way or wherever you retrieve the claims from

    var claimsForUser = idRepo.GetUserClaimsBySubjectId(g);



    context.IssuedClaims = claimsForUser.Select(c => 

        new Claim(c.ClaimType, c.ClaimValue)).ToList();



    return Task.FromResult(0);

}

As explained here, an id token should pretty much only have a sub claim - that's what the userinfo endpoint is for.

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

share|improve this answer

share|improve this answer

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

answered Nov 23 '18 at 8:04

Wim OmbeletsWim Ombelets

3,66023245

3,66023245

add a comment | 

add a comment | 

0

The problem was that i had only added it to the [IdentityResources] table.

This simply defines the different scopes. But it doesn't actually assign any data.

To do that i needed to add it to the [IdentityClaims] table.

As soon as i did this the data started being returned in the claims.

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

add a comment | 

0

The problem was that i had only added it to the [IdentityResources] table.

This simply defines the different scopes. But it doesn't actually assign any data.

To do that i needed to add it to the [IdentityClaims] table.

As soon as i did this the data started being returned in the claims.

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

add a comment | 

0

0

0

The problem was that i had only added it to the [IdentityResources] table.

This simply defines the different scopes. But it doesn't actually assign any data.

To do that i needed to add it to the [IdentityClaims] table.

As soon as i did this the data started being returned in the claims.

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

The problem was that i had only added it to the [IdentityResources] table.

This simply defines the different scopes. But it doesn't actually assign any data.

To do that i needed to add it to the [IdentityClaims] table.

As soon as i did this the data started being returned in the claims.

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

share|improve this answer

share|improve this answer

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

answered Dec 3 '18 at 12:51

DaImToDaImTo

45.7k1163245

45.7k1163245

add a comment | 

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53432356%2fid-token-does-not-contain-email-when-email-scope-is-requested%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here