Extending standard access token claims

[alexeyauslender]

I would like to extend access token claims ,what is the right way to do it .I suppose that IClaimsProvider should be implemented.

[leastprivilege]

configure the scope claims on the scope - return the claims from the user service.

[alexeyauslender]

Thanks a lot for quick answer ,you mean that claims should be added to StandardScopes.cs ?

[leastprivilege]

no - you create custom scopes.

[alexeyauslender]

One more question ,Dominick.If I would like to initialize this claim from client .For example we have client credentials flow (web site running under anonymous user identity accessing protected resource in order to create entity) in which the client will pass entity Id in order to be token claim.My final target is to couple between token and entity id and use it claim (entity id) as parameter for protected resource.
Thanks a lot for your attention.

[leastprivilege]

The client has a claims collection that you can use to add arbitrary claims to a client (at configuration time)

I don't see "entity id" becoming a claim ever - it is rather part of the api call payload.

[alexeyauslender]

The main difficult is that anonymous user may create resources and connect assets to this resources there for I want to connect access token to this resource id in order to avoid data compromise. Before user is authenticated the access token issued for web site which means that resource id might be changed and data might be compromised.What would be your advice to target this issue.

[leastprivilege]

I guess I don't understand the issue. if there is no user - then all you have is the client.

[alexeyauslender]

In our platform the end user may create application and add to this application different assets without be authenticated.
From architectural point of view Web Site accessing some Web Api in order to create application and then Web Site keep accessing different Web Apis in order to add assets to application (coupons,loyalty cards and etc.).All relations between application Id and assets saved to DB without user id (user doesn't exists at this stage).
At some stage anonymous user would like to save her application and in order to save application she has to be authenticated.(Hybrid flow of Idsrv)
As I understand OAuth2 flows ,while user is anonymous I should use client credentials flow while Web Site uses client id and secret in order to get access token from idsrv and access Web APIs.So main question is ,how should I authorize request in all this APIs which depend on application id,I mean should application id be a part of the token.If I 'll use application Id as parameter it's possible to send different application id and compromise data because till user is anonymous access token will be the same (same client id and secret for web site ).
After studying from your courses on pluralsight it's fills to me that adding application id to be a part of the token is mixing our business logic with authorization logic.May be I should create some anonymous user and get identity token for this user in order to correlate access token to identity token.
I apologize for long explanations but I am really want to find right solution without compromising architecture and security.

[leastprivilege]

Sorry I still don't get it - i am missing the full context. Maybe you need consulting, something i can't do over the issue tracker - in any case you have full control over the token contents in IClaimsProvider.

[alexeyauslender]

Is it OK to contact you on dominick.baier@thinktecture.com for consulting purposes?

[leastprivilege]

Sure. Just send me an email.

Sent from my iPhone

On 28.01.2015, at 14:57, Alexey Auslender notifications@github.com wrote:

Is it OK to contact you on dominick.baier@thinktecture.com for consulting purposes?

—
Reply to this email directly or view it on GitHub.

[apuchkov]

Here's an example how to add Claims to Access Token http://stackoverflow.com/a/35539114/1689049