Identity Server - Adding Custom Claims

by Malav Dhalgara

Scenario

You need to add custom claim(s) as part of the end-users sign-in experience that will drive certain business logic for the application that is requesting access. Let's take a look at how you go about adding claim(s) to Identity Server below.

Overview

The claim is a critical piece of information in any kind of Identity Management solution. You will eventually find yourself in this territory when you are working with Identity Management solution whether it's a user claim, client claim, role claim, or scope claim. A user claim is self-explanatory. It's really any kind of information that pertains to the user in question, and in most cases will persist until user signs out of the application. Let's quickly take a look at how this is done in Identity Server.

Solution

The first step is to create a class that inherits from ClaimsIdentityFactory that is packaged with Identity Server.

public class CustomClaimProvider : ClaimsIdentityFactory<TUser, TId>
{
    public override async Task<ClaimsIdentity> CreateAsync(UserManager<TUser, TId> manager, TUser user, string authenticationType)
    {
        //let's execute base method first.
        var identity = await base.CreateAsync(manager, user, authenticationType).ConfigureAwait(false);

        if (manager.SupportsUserClaim)
        {
            //create list of claims
            var claims = new List<Claim> {
                new Claim(IdentityServer3.Core.Constants.ClaimTypes.Subject, user.Id.ToString()),
                new Claim(IdentityServer3.Core.Constants.ClaimTypes.PreferredUserName, user.UserName)
                //add any other custom claim(s) here (e.g. address, phone number, etc.)
            };

            //add all the claims
            identity.AddClaims(claims);
        }
}

Second, register the custom claim(s) provider that we just created above to the provided factory as an instance per Http Request object. This will essentially invoke and populate custom claims for a given user each time we get an authentication request to our Identity Server solution.

public static class IdentityServerServiceFactoryExtensions
{
    public static void ConfigureServices(this IdentityServerServiceFactory factory)
    {
        factory.Register(new Registration<IClaimsIdentityFactory<TUser, TId>, CustomClaimProvider> 
        { 
            Mode = RegistrationMode.InstancePerHttpRequest 
        });
    }
}