ID token missing in Resource Owner Credential Grant

[vaishnavkishan]

Question

I have implemented the IdentityServer4 with Microsoft Identity Core. I have also created a client with Resource Owner Credentials Grant. Everything works smoothly. But the /token endpoint does not return id_token in the response.

Minimal working example

Startup.cs

       var builder = services.AddIdentityServer()
                .AddInMemoryIdentityResources(Config.Ids)
                .AddInMemoryApiResources(Config.Apis)
                .AddInMemoryClients(Config.Clients)
                .AddAspNetIdentity<ApplicationUser>();

Client provided below is set in the AddInMemoryClients() method

new Client
                {
                    ClientId = "resourceownerclient",
                    AlwaysIncludeUserClaimsInIdToken = true,
                    AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
                    AccessTokenType = AccessTokenType.Jwt,
                    AccessTokenLifetime = 3600,
                    IdentityTokenLifetime = 3600,
                    UpdateAccessTokenClaimsOnRefresh = true,
                    SlidingRefreshTokenLifetime = 30,
                    AllowOfflineAccess = true,
                    RefreshTokenExpiration = TokenExpiration.Absolute,
                    RefreshTokenUsage = TokenUsage.OneTimeOnly,
                    AlwaysSendClientClaims = true,
                    Enabled = true,
                    ClientSecrets=  new List<Secret> { new Secret("dataEventRecordsSecret".Sha256()) },
                    AllowedScopes = {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.Email,
                        IdentityServerConstants.StandardScopes.OfflineAccess,
                        "api1"
                    }
                }

Below is the example of the response I receive

{
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IncxN01wQTRBa1dIc09ZNDhhTUJKOHciLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1OTEzNDgwMTksImV4cCI6MTU5MTM1MTYxOSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMDgiLCJhdWQiOiJhcGkxIiwiY2xpZW50X2lkIjoicmVzb3VyY2Vvd25lcmNsaWVudCIsInN1YiI6ImJjMjFlMDU2LWM4YmUtNGVhOS04MWI1LTU5NTAxZmE3MTU0MCIsImF1dGhfdGltZSI6MTU5MTM0ODAxOCwiaWRwIjoibG9jYWwiLCJuYW1lIjoicHJvLmtpc2hhbjE2QGdtYWlsLmNvbSIsImVtYWlsIjoicHJvLmtpc2hhbjE2QGdtYWlsLmNvbSIsInNjb3BlIjpbImVtYWlsIiwib3BlbmlkIiwiYXBpMSJdLCJhbXIiOlsicHdkIl19.OdwdyQKHPYGevIltw4zsilUSheHoPh-2q_OgVMYdG19khLDEaeNLlluEsXrhfmPxcrrzWdAHXCUDa0HEfezlVRio0lvcLfrWMy_7yrCcDm5WSMdl6OeW6Xw4Fw78wnvYtUMdBM3QqwdxLdBjeoQbqvQhF7ovHv9NkG7bMpQIMGMgPPkGjrfb1OcuFiLa5Ba6tM7eL3Tjx4Z58k28rKnzu9cFIcd6jhKnaDFS2H01h8x8FGyLupTuLZBIZU-fUQuuT9SijB7lxtFUrC-ben_PFZhrYr7tuWUAnPVFTKZHGCPXkhOdWFu2n5J7iy-ZDZmJmnUdh_vGOXKahszeHrzUyw",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "api1 email openid"
}

I do get a response from /userinfo endpoint.

In my research, I found an issue that indicates that id_token is not supported in the IdentityServer.
Here's the excerpt from it (IdentityServer/IdentityServer3#3621)

In version 2.6.0 id_token in response from refresh token request was added (in #3458). I think this should be at least disabled by default or removed because now it is not possible to get id token in password grant but with refresh_token grant I receive id token whether I want it or not.

I get id_token when refresh token is performed so the issue mentioned in the IdentityServer3 is still there. Below is the example of the refresh_token.

{
    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IncxN01wQTRBa1dIc09ZNDhhTUJKOHciLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE1OTEzNDk2NTEsImV4cCI6MTU5MTM1MzI1MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMDgiLCJhdWQiOiJyZXNvdXJjZW93bmVyY2xpZW50IiwiaWF0IjoxNTkxMzQ5NjUxLCJhdF9oYXNoIjoiMDFpTUFEbXo1RlZXRTNVREJrS1hMQSIsInN1YiI6ImJjMjFlMDU2LWM4YmUtNGVhOS04MWI1LTU5NTAxZmE3MTU0MCIsImF1dGhfdGltZSI6MTU5MTM0OTYyNSwiaWRwIjoibG9jYWwiLCJlbWFpbCI6InByby5raXNoYW4xNkBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImFtciI6WyJwd2QiXX0.d_4pKQlD43LfXxkzIjcva7ynGcifuZ9SFyzytDS0zV29w6HcAEXqbsZgEsJHQmATrwCFC9_7CCLzc2cJdD5AvWaSxZkoN0W5phB0j3BZptco2Qwtw4mnSIbRQTe6qBvWtyhkAWc3s92QhiVnLkojNTC2p5pE51Ffa3XnA-8WSssiIbalPOAgaFJvriqHU7RAE4uR-kiyzlBVQLb-mLgAnUk55PjQ_oEr9AVZPKvb97vO6XTQUw2a4MfkFNPrus3sstA-YlOZDcYVMocBcVNmOBqFMUIONO2WS4jrO0QSedxFn0H4HHZqr0Q7Q8wZKVqT-8L6Fn52XbVnhvP89eS9hw",
    "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IncxN01wQTRBa1dIc09ZNDhhTUJKOHciLCJ0eXAiOiJhdCtqd3QifQ.eyJuYmYiOjE1OTEzNDk2NTEsImV4cCI6MTU5MTM1MzI1MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMDgiLCJhdWQiOiJhcGkxIiwiY2xpZW50X2lkIjoicmVzb3VyY2Vvd25lcmNsaWVudCIsInN1YiI6ImJjMjFlMDU2LWM4YmUtNGVhOS04MWI1LTU5NTAxZmE3MTU0MCIsImF1dGhfdGltZSI6MTU5MTM0OTYyNSwiaWRwIjoibG9jYWwiLCJuYW1lIjoicHJvLmtpc2hhbjE2QGdtYWlsLmNvbSIsImVtYWlsIjoicHJvLmtpc2hhbjE2QGdtYWlsLmNvbSIsInNjb3BlIjpbIm9wZW5pZCIsImVtYWlsIiwiYXBpMSIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.lIcozEenNULLB9jc1kz-VFULXwk1u-IhDPshJ2XtiRjGrcwD773J8Mr1ULLOKlLZ8ZtHi1UHh9IQQzMztmm-VrgtRlEycl3zbjjasV6ajsp82wuKZKnJiDdPoaQN1P-zte29bvu6Jr7Q2diMx-FwX2YjRTktvwyEhtE-bHPRHr_pwFjRzSAgKZUgJPUZf1XzlCn_n7ZA7S5gW0W5xQHQUHvbJ21G5m2880FqR4qOISSG2rNDMoVurAbMlnGrsppd2lr5aiveAoXotG3bTLTnjHelflUWxS18mRZ2EjtF3hA5v3qTyUaZLBr4QKPSeBwCkN7fZ9g1sUEU4vIl_SbS-w",
    "expires_in": 3600,
    "token_type": "Bearer",
    "refresh_token": "LhDWfudUyBGGZMclyxyVp3bdRbIMRMmy1HjUh_ZWfiQ",
    "scope": "email openid api1 offline_access"
}

Can anyone point that in the documentation and if this is possible then help me solve it.

[leastprivilege]

Resource owner flow

a) is part of OAuth and not OpenID Connect. Thus it does not return an identity token. You can use the userinfo endpoint with the access token to return the claims instead

b) is deprecated as of OAuth 2.1 (soon)

[vaishnavkishan]

Thanks @leastprivilege for the clarification. I did not find that information in the documentation. Can you link me there? I need to provide this info to my manager.

Another question. If the Resource Owner Credential Grant is deprecated then which approach should be selected for Native experience? I know you will suggest Authorization Code but it's not good UX.

Every authentication server provides native experience in their own apps for e.g. GitHub, Google, Facebook, etc.

Which authentication grant do they use or I should use?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.