Automatically add user roles to access and identity tokens

11 years ago · 5f74ef3225
3 changed files with 21 additions and 3 deletions
--- a/src/OpenIddict.Core/OpenIddictManager.cs
+++ b/src/OpenIddict.Core/OpenIddictManager.cs
@ -46,6 +46,9 @@ namespace OpenIddict {
        }

        public virtual async Task<string> FindClaimAsync(TUser user, string type) {
+            // Note: GetClaimsAsync will automatically throw an exception
+            // if the underlying store doesn't support custom claims.
+
            return (from claim in await GetClaimsAsync(user)
                    where string.Equals(claim.Type, type, StringComparison.Ordinal)
                    select claim.Value).FirstOrDefault();
--- a/src/OpenIddict.Core/OpenIddictProvider.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.cs
@ -305,9 +305,12 @@ namespace OpenIddict {
            // don't include the "email" scope if the username corresponds to the registed email address.
            if (principal.HasClaim(OpenIdConnectConstants.Claims.Scope, OpenIdConnectConstants.Scopes.Profile)) {
                context.PreferredUsername = await manager.GetUserNameAsync(user);
-                context.FamilyName = await manager.FindClaimAsync(user, ClaimTypes.Surname);
-                context.GivenName = await manager.FindClaimAsync(user, ClaimTypes.GivenName);
-                context.BirthDate = await manager.FindClaimAsync(user, ClaimTypes.DateOfBirth);
+
+                if (manager.SupportsUserClaim) {
+                    context.FamilyName = await manager.FindClaimAsync(user, ClaimTypes.Surname);
+                    context.GivenName = await manager.FindClaimAsync(user, ClaimTypes.GivenName);
+                    context.BirthDate = await manager.FindClaimAsync(user, ClaimTypes.DateOfBirth);
+                }
            }

            // Only add the email address details if the "email" scope was present in the access token.
@ -420,6 +423,12 @@ namespace OpenIddict {
                identity.AddClaim(ClaimTypes.Email, email, destination: "id_token token");
            }

+            if (manager.SupportsUserRole) {
+                foreach (var name in await manager.GetRolesAsync(user)) {
+                    identity.AddClaim(identity.RoleClaimType, name, destination: "id_token token");
+                }
+            }
+
            context.Validate(new ClaimsPrincipal(identity));
        }
    }
--- a/src/OpenIddict.Mvc/OpenIddictController.cs
+++ b/src/OpenIddict.Mvc/OpenIddictController.cs
@ -142,6 +142,12 @@ namespace OpenIddict {
                identity.AddClaim(ClaimTypes.Email, email, destination: "id_token token");
            }

+            if (Manager.SupportsUserRole) {
+                foreach (var name in await Manager.GetRolesAsync(user)) {
+                    identity.AddClaim(identity.RoleClaimType, name, destination: "id_token token");
+                }
+            }
+
            // Note: AspNet.Security.OpenIdConnect.Server automatically ensures an application
            // corresponds to the client_id specified in the authorization request using
            // IOpenIdConnectServerProvider.ValidateClientRedirectUri (see OpenIddictProvider.cs).