1

I can authenticate to my ASP.NET Core 2.2 web api using a JWT but the Name property of the Identity is null.

The claim is there, though.

Here's the JWT which is decomposed:

{
  "id": "1-A",
  "name": "Pure Krome",
  "email": "<snip>",
  "picture": "https://<snip>",
  "locale": "en-au",
  "permissions": [
    <snip>
  ],
  "iss": "<snip>",
  "sub": "google-oauth2|<snip>",
  "aud": "<snip>",
  "exp": 1597609078,
  "iat": 1496325742
}

and here's what the server is seeing:

enter image description here

also .. it seems to "recognise" my email claim, though? (note: I've just obfuscated the real email value)

enter image description here

So I thought name isn't a recognised claim .. so I tried seeing if there's some standard rules for this and found IANA has a list of reserved and custom claims. name is the first one for custom claims.

Is there some trick I need to do to get ASP.NET Core security to recognise my name claim as NameClaimType ?

Why does email claim get recognised?

Pure.Krome
  • 84,693
  • 113
  • 396
  • 647
  • Without reading all the details (not much time right now), I remember an older case: https://stackoverflow.com/questions/41830898/usejwtbearerauthentication-does-not-get-user-identity-name-populated/41831919#41831919 , does this help? – jps Jul 02 '19 at 12:15
  • You can set NameClaimType on the authentication scheme through its validation settings AFAIK. It's expecting a different claim type now. – juunas Jul 02 '19 at 12:19
  • @juunas >It's expecting a different claim type now. Do you have some extra info to explain what you are suggesting? – Pure.Krome Jul 02 '19 at 12:23
  • 1
    You can set like: `.AddJwtBearer(o => o.TokenValidationParameters = new TokenValidationParameters { NameClaimType = "name" })`. That'll change which claim it uses to populate the name. – juunas Jul 02 '19 at 12:25
  • Ok wow - that worked @juunas! Post that as an answer please. Also, why did that work when the "default" settings, doesn't? weird that "email" claim is found, but not name ?? – Pure.Krome Jul 02 '19 at 12:35
  • 2
    There's a set of mappings from JWT claims to the MS claims [here](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs#L50). As you can see, there's a mapping from `email` but not from `name`, which is why one works but the other doesn't. You'll also see that `unique_name` is what's mapped to that more verbose version of the `name` claim. – Kirk Larkin Jul 02 '19 at 13:29
  • @KirkLarkin oh wow! that's a great find! And... why the hell is this JWT class under an ActiveDirectory repo? oh wow ... there's so many AD specific claims, also :/ Finally, is `unique_name` a common naming convention for this claim? or is `name` the claim used, more commonly? Is this doc'd anywhere? I thought my IANA doc (https://www.iana.org/assignments/jwt/jwt.xhtml) was the suggested standard .. which I thought would be the common way for things? – Pure.Krome Jul 03 '19 at 02:14
  • Also to note @KirkLarkin the link you provided was to `SYSTEM.IdentityModel.Tokens.Jwt` .. which I'm not using. I'm using `MICROSOFT.IdentityModel.Tokens`. – Pure.Krome Jul 03 '19 at 03:13
  • I don't know why it's `unique_name`, but I've only ever seen `name` used "in the wild". There's a lot of history and legacy around all of this stuff. [This GitHub issue](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/550) might shed some light on it. Although it might be confusing, the source code link I posted is correct if you're using `AddJwtBearer`. You can verify this by following the source code and its chain of dependencies. I can't explain all of that in a comment and you already have a valid answer. :) – Kirk Larkin Jul 03 '19 at 08:45

1 Answers1

1

It's expecting a different claim type than what you have. You can set like: 

.AddJwtBearer(o => o.TokenValidationParameters = new TokenValidationParameters
{
    NameClaimType = "name"
})

That'll change which claim it uses to populate the name.

juunas
  • 54,244
  • 13
  • 113
  • 149