Using IdentityServer 4 (4.1.2), I've added a class implementing the IProfileService interface. The method GetProfileDataAsync is supposed to be called several times (for each token), but my method is only called for the Access Token (ClaimsProviderAccessToken).

  public class LocalUserProfileService : IProfileService
  {
    private readonly IIdentityProviderUserService _identityProviderUserService;

    public LocalUserProfileService(IIdentityProviderUserService identityProviderUserService)
    {
      _identityProviderUserService = identityProviderUserService ??
        throw new ArgumentNullException(nameof(identityProviderUserService));
    }
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
      var subjectId = context.Subject.GetSubjectId();
      var claims = (await _identityProviderUserService.GetUserClaimsBySubjectAsync(subjectId)).ToList();
      
      Debug.WriteLine($"Adding claims to {context.Caller}");
      context.IssuedClaims.AddRange(claims);
      
    }

    public async Task IsActiveAsync(IsActiveContext context)
    {
      var subjectId = context.Subject.GetSubjectId();
      context.IsActive = await _identityProviderUserService.IsUserActiveAsync(subjectId);
    }
  }

I could manage to only use my access token to get the custom claims, but I would like to know why the code is not called for the identity_token as I prefer to have the claims in both tokens.

CodePudding user response：

Have you set the AlwaysIncludeUserClaimsInIdToken flag to true? Otherwise the claims for the ID-token will be provided through the UserInfo endpoint instead.

A common way to reduce the size of the ID-token is to not include all the claims in the ID-token. Large tokens will also result in large session cookies. By default, the tokens are stored inside the session cookie.