34

Using ASP.NET Core 2.2 and Identity Server 4 I have the following controller:

[HttpGet("posts"), Authorize]
public async Task<IActionResult> GetPosts() {

  var authenticated = this.User.Identity.IsAuthenticated;

  var claims = this.User.Identities.FirstOrDefault().Claims;

  var id = this.User.FindFirstValue(ClaimTypes.NameIdentifier);

}

I get all the claims but id is null ...

I checked all values in claims and I have a 'sub' claim with value 1.

Why is ClaimTypes.NameIdentifier not mapping to 'sub'?

Camilo Terevinto
  • 31,141
  • 6
  • 88
  • 120
Miguel Moura
  • 36,732
  • 85
  • 259
  • 481
  • 3
    Try setting this: JwtSecurityTokenHandler.DefaultMapInboundClaims = false; This is mostly to fix the fact the `sub` claim gets translated into the `nameidentifier` claim. – PmanAce Sep 18 '19 at 17:49
  • It didn't solve it ... id is still null. – Miguel Moura Sep 18 '19 at 18:00
  • It's a good question that's why I upvoted it (from -1 to 0 now) but your example is irrelavant to your question. If you see 'sub' in your claims, then FindFirstValue of "sub". – Daniel B Apr 19 '20 at 16:08

4 Answers4

34

  1. To not let Microsoft Identity to override claim names you have to use JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); just before the app.UseAuthentication() in the API startup.

  2. Use direct "sub" claim instead of ClaimThypes.NameIdentifier e.g. var id = this.User.FindFirstValue("sub");

For further reference please see detailed discussion on it: https://github.com/IdentityServer/IdentityServer4/issues/2968#issuecomment-510996164

Muhammad Umar
  • 1,357
  • 13
  • 14
11

I assume in OIDC configuration you have clear the inbound claim type map on the Microsoft JWT token handler with :

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

You can then manually setting the claim type mapping for claim sub:

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);
Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • I tried your suggestion and is still null ... No idea what is going on ... – Miguel Moura Sep 19 '19 at 09:06
  • what if you delete this line : `JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();` – Nan Yu Sep 19 '19 at 13:24
  • With calling Clear I get the error `'System.ArgumentException' in System.Private.CoreLib.dll: 'An item with the same key has already been added. Key: sub'` – Miguel Moura Sep 19 '19 at 14:05
  • 1
    try delete this line : `JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();` , and also this one `JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);` , delete both codes – Nan Yu Sep 20 '19 at 01:14
  • Thanks a lot...ur code add NameIdentifier claim type when DefaultInboundClaimTypeMap.Clear() fr some other issue – Ajt Aug 01 '20 at 10:22
7

The static string ClaimTypes.NameIdentifier has the following value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

So no wonder it can't be used to look up the value of the sub claim.

If you know that the sub claim contains the user id, you can just do the lookup simply with the sub string.

ClaimTypes.NameIdentifier works for looking up the user id only in cases when the ClaimsPrincipal was created with the default inbound claim type mapping, which maps the sub claim to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.

But even in such cases it's more appropriate to use userManager.Options.ClaimsIdentity.UserIdClaimType, because this is the actual value used in the original mapping (which defaults to ClaimTypes.NameIdentifier, but can be customized).

(But yes, this whole mapping is quite confusing, and there are a number of Github issues opened where even MS devs lament that this is an evil existing solely for legacy reasons.)

Leaky
  • 3,088
  • 2
  • 26
  • 35
0

Nan Yu's answer no longer works as of .NET 8 Preview 7. I think the idiomatic way to do it since then is to set JwtBearerOptions.MapInboundClaims to false in the call to AuthenticationBuilder.AddJwtBearer.


            services
                .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(jwtBearerOptions =>
                {
                    jwtBearerOptions.MapInboundClaims = false;
                });

Alternatively, in spirit of the old method, just change JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); to JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();

See discussion in this GitHub issue.

Dominion
  • 1
  • 4