We're using IdentityServer4 for our IdentityServer and IdentityServer3 for the client (ASP.NET MVC 5).

Everything works (the User/Claimsprincipal is set correctly through OWIN) except I cannot get the access token from the User.

We're using a implicit client which has access to these scopes: openid, profile, testapi

Startup.cs:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
    Authority = identityServerUrl,
    RequiredScopes = new[] { "testapi" },
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "Cookies",
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = identityServerUrl,
    ClientId = "testclient",
    Scope = "openid profile testapi",
    RedirectUri = "http://localhost:49000/signin-oidc",
    ResponseType = "id_token token",
    SignInAsAuthenticationType = "Cookies",
});

Code to retrieve Access Token (inside one of the controllers):

var user = User as ClaimsPrincipal;
var token = user.FindFirst("access_token");

User is set correctly, but the token is null. I am guessing it is some kind of option that I am missing in the startup.cs, but which?

I found a solution that does exactly what I want - I'm putting it here for anyone else running into the problem. It costs a dependency on IdentityModel, but that is acceptable in my case:

In Startup.cs, I added:

Notifications = new OpenIdConnectAuthenticationNotifications
{
    AuthorizationCodeReceived = async n =>
    {
        var tokenClient = new TokenClient(identityServerUrl + "/connect/token", clientId, secret);
        var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);
        HttpContext.Current.Session[HttpUserContext.ACCESS_TOKEN] = tokenResponse.AccessToken;
    }
}

To the call to .UseOpenIdConnectAuthentication

I think a simpler solution is to use what is allready made availible:

        var options = new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = authorityUrl,
            PreserveAccessToken = true,                
        };

Then the access token is availible as a claim on the User principle.