1

I'm following the Using OAuth to Secure Your ASP.NET API course on Pluralsight. I've set up IdentityServer with a number of InMemoryUsers, one of which looks like this...

public static List<InMemoryUser> Get()
{
    return new List<InMemoryUser>
       {
           new InMemoryUser
           {
               Username = "[email protected]",
               Password = "password",
               Subject = "[email protected]",
               Claims = new[]
                        {
                            new Claim(Constants.ClaimTypes.Id, "96cddc1de66641829237b7f09869b1c8"),
                            new Claim(Constants.ClaimTypes.Name, "Some Full name example
                        }
           },
       };
}

If I authorise the user and use the supplied access token to call the API, the claims collection, for that user, looks like this ...

((User as System.Security.Claims.ClaimsPrincipal).Identities.First() as System.Security.Claims.ClaimsIdentity).Claims.ToList()
Count = 10
    [0]: {iss: https://localhost:44375}
    [1]: {aud: https://localhost:44375/resources}
    [2]: {exp: 1468920204}
    [3]: {nbf: 1468916604}
    [4]: {client_id: my_clientid}
    [5]: {scope: openid}
    [6]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: [email protected]}
    [7]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant: 1468916604}
    [8]: {http://schemas.microsoft.com/identity/claims/identityprovider: idsrv}
    [9]: {http://schemas.microsoft.com/claims/authnmethodsreferences: password}

If I drop the access key that I'm using in to the debugger at jwt.io I get this...

{
  "iss": "https://localhost:44375",
  "aud": "https://localhost:44375/resources",
  "exp": 1468921471,
  "nbf": 1468917871,
  "client_id": "my_clientid,
  "scope": "openid",
  "sub": "[email protected]",
  "auth_time": 1468917871,
  "idp": "idsrv",
  "amr": [
    "password"
  ]
}

I'm unclear what it is I'm doing, or not doing, that is stopping the Claims that are defined from being returned.

Any ideas?

Improve this question

1 Answer 1

Reset to default
12

You are hitting the default behaviour of Microsoft's JWT token handler.

Microsoft thinks it knows what claim types are best for you so they do you a favour and change them on the fly (so they think).

you can either accept that - or turn that behaviour off by calling this beautiful piece of code somewhere (e.g. in startup):

JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I've added that to the very top of the Configuration method of the Startup class in the IdentityServer Project but to no avail. Stepping through my code I note that the Claims I'm expecting are all in the collection when I'm handling the AuthenticateLocalAsync method in my user service (since posting the original question, I have moved away from InMemoryUsers)
Added it to the top of the Configuration method of the Startup class in my API project and it worked!
In the current version of AspNet Core this has changed to JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.