8

As per the OpenID Connect specification is sub claim part of openid scope or profile scope? I could not find that information

Update1
I am using IdentityServer3 for authentication. Client is making the request to the server as below. In response I don't get sub claim which is required as per the Open ID Connect specification. However response does include http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier which has same value as sub Is the nameidentifier same as sub claim.

Here is client request

    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = "https://localhost:44314/identity",
            Scope = "openid",
            ClientId = "LocalHostMvcClient",
            RedirectUri = "http://localhost:34937/",
            ResponseType = "id_token",
            SignInAsAuthenticationType = "Cookies",
        }
   }

id_token response

enter image description here

Update 2
based on the comments below I have updated client's startup file

    private void TurnOffMicrosoftJWTMapping()
    {
        //The long claim names come from Microsoft’s JWT handler trying to map some claim types to .NET’s ClaimTypes class types. 
        //We can turn off this behavior with the following line of code (in Startup).
        //This also means that we need to adjust the configuration for anti-CSRF protection to the new unique sub claim type:
        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Subject;
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
    }

and then call this method in client's startup

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        TurnOffMicrosoftJWTMapping();

        //configure OpenIDConnect request here
    }
}
Askolein
  • 3,250
  • 3
  • 28
  • 40
LP13
  • 30,567
  • 53
  • 217
  • 400

2 Answers2

19

sub is a required claim of the id_token - and the openid scope is the required minimum scope to make an OpenID Connect authentication request. You can mix openid with other scopes - but openid must be present.

That's their relationship.

IdentityServer emits standard claim types (e.g. sub) according to:

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

It's the Microsoft JWT handler that turns these standard claims into Microsoft proprietary ones. You can turn this annoying behaviour off via:

JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • `sub` string - Identifier for the End-User at the Issuer. - so this can have any value ? – N Sharma Feb 06 '18 at 05:22
  • 2
    the signature are changed but Microsoft Proprietary ones made me mad. Following saved my life `System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear()` – Waqas Raja Oct 11 '18 at 15:32
2

Neither, it's just a required claim of the ID Token, whenever one is issued.

Pieter Ennes
  • 2,301
  • 19
  • 21
  • ok so after searching I found this discussion `https://github.com/IdentityServer/IdentityServer3.Samples/issues/173` IdentityServer3 will map `sub` claim to `nameidentifier` – LP13 Jul 21 '16 at 19:58