<p><strong>When generating authorization codes, refresh tokens and device/user codes</strong> from the <code>ClaimsPrincipal</code> specified during a sign-in operation,
<strong>OpenIddict automatically copies all the claims to the resulting codes/tokens</strong>. This is a safe operation because these tokens are always encrypted
and can't be read by anyone but OpenIddict itself (the user or the client application that requested them cannot read their content).</p>
<p><strong>For access and identity tokens, things work differently</strong>, as these tokens are meant to be read by different parties:</p>
<ul>
<li>Client applications have a total access to the claims contained in the identity tokens they receive.</li>
<li>Resource servers are expected to be able to read the claims contained in the access tokens used in API calls.</li>
<li>With desktop, mobile or browser-based applications, it's generally not hard for users to access identity tokens
(e.g by intercepting the HTTP response using Fiddler, by using developer tools or by dumping the memory of the client process).</li>
<li>If access token encryption was explicitly disabled, it's possible for the client applications or the users themselves
to access the content of access tokens (e.g by copying the token payload and using a tool like <ahref="https://jwt.io/">https://jwt.io/</a>).</li>
</ul>
<p>For these reasons, <strong>OpenIddict doesn't automatically copy the claims attached to a <code>ClaimsPrincipal</code> to access or identity tokens</strong>
(except the <code>sub</code> claim, which is the only mandatory claim in OpenIddict). To allow OpenIddict to persist specific claims
to an access or identity token, a flag known as "claim destination" must be added to each <code>Claim</code> instance you want to expose.</p>
<divclass="NOTE"><h5>Note</h5><p>To attach one or multiple destinations to a claim, use the <code>claim.SetDestinations()</code> extension defined in <code>OpenIddict.Abstractions</code>.
In the typical case, granted scopes can be used to determine what claims are allowed to be copied to access and identity tokens, as in this example:</p>
</div>
<pre><codeclass="lang-csharp">var principal = await _signInManager.CreateUserPrincipalAsync(user);
// Note: in this sample, the granted scopes match the requested scope
// but you may want to allow the user to uncheck specific scopes.
// For that, simply restrict the list of scopes before calling SetScopes().
