Adding custom claims in the callback after an external IdP authenticates does not appear to emit these claims back to consuming app

[sanjeev-saxena-us]

I am running a .NET8 WebAPI service that includes IdentityServer v7.
Scenario:

1. User is redirected to external IdP
2. After external IdP successfully authenticates a user, my callback endpoint gets called
3. I add custom claims to the Principal in the callback

var result = await this._httpContextAccessor!.HttpContext!.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
if (!(result?.Succeeded ?? false))
{
    throw new Exception("External authentication error");
}

var identity = result.Principal.Identity as ClaimsIdentity;
if (some logic)
{
    identity!.AddClaim(new Claim("someClaim", "someClaimValue"));
}

5. User is returned to consuming app
6. In the OnTokenValidated event handler in the consuming app, the custom claims are not present

What could I be missing?
Thanks

Note: I am adding a different custom claim in another class that implements IProfileService and this claim is present in the OnTokenValidated event handler but logic in the callback handler cannot be included in the class that implements the IProfileService.

[RolandGuijt]

result.Principal here is the principal from the external auth provider. Further down in the callback method you are probably call HttpContext.SigninAsync. The principal you're passing into that method should contain the new claim since the principal from the external auth provider is not used moving forward.

[sanjeev-saxena-us]

Thanks @RolandGuijt , I had the HttpContext.SigninAsync(), however the custom claim types being created were 3 characters long and for some reason were not being emitted back. I changed the claim types to a longer value which worked. Do you know why the smaller length claim types were not being included?

[RolandGuijt]

Sorry, no. If you want to investigate this further can you please post the code relevant for the signin?

[sanjeev-saxena-us]

Hi @RolandGuijt,

Pulled the trigger a bit earlier; it is still not working; code snippet:

            var additionalLocalClaims = new List<Claim>();       
            additionalLocalClaims.Add(new Claim("SomeNewClaimType", "SomeNewClaimValue"));
            var identityServerUser = new IdentityServerUser(subjectId)
            {
                DisplayName = user?.UserName,
                IdentityProvider = scheme,
                AdditionalClaims = additionalLocalClaims,
            };
            var p = identityServerUser.CreatePrincipal();
            await this._httpContextAccessor.HttpContext.SignInAsync(p);
...
            var res = Results.Redirect(returnUrl);
            await res.ExecuteAsync(this._httpContextAccessor!.HttpContext);
            return res;

When the response comes back to the browser code, the collection of claims does not have the claim "SomeNewClaimType"

Thanks

[RolandGuijt]

Just checking: Is SomeNewClaimType part of the identity scopes requested by the client?

[sanjeev-saxena-us]

No, the example claim type is not part of the scope requested by the client. It is an example of a claim that is created by the service provider in the callback within the service.

I do want to point out that the in the class that implements IProfileService, in the GetProfileDataAsync() if said claim is added to the context.IssuedClaims (context is ProfileDataRequestContext), from the context.Subject.Claims then the example claim type is emitted back.

Is this the right approach?

[RolandGuijt]

Yes. RequestedClaims contains the claims that were requested by the client (using scopes). When implementing IProfileService, IssuedClaims should contain all the claims that have to be returned.

[sanjeev-saxena-us]

Great; thanks