0

I have multiple claims being sent back in the profile scope. These claims include:

employeeType mail givenName

These accessToken claims are being automatically mapped to the same name. I would like them to be changed to change the mapping as follows:

employeeType = EmployeeType

mail = Mail

givenName = FirstName

I tried using MapJsonKey() but its' not working I also tried MapUniqueJsonKey(). I think these may only be used for userInfoClaims?

    options.ClaimActions.MapJsonKey("EmployeeType", "employeeType");
    options.ClaimActions.MapJsonKey("FirstName", "givenName");
    options.ClaimActions.MapJsonKey("Email", "Mail");

Is there a way to map these to different name, or do I have to delete the claims and add them to the Prinical using OnTokenValidated hook?

This is my authentication configuration in startup.

            services.AddAuthentication(options => {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, o =>
                {
                    o.Cookie.Name = "GCOWebCookie";
                    o.AccessDeniedPath = "/AccessDenied";
                })
                .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => {
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.Authority = config["OneId:Authority"];
                    options.ClientId = config["OneId:ClientId"];
                    options.ResponseType = "code";
                    options.ClientSecret = config["OneId:ClientSecret"];
                    options.SaveTokens = true;
                    //options.GetClaimsFromUserInfoEndpoint = true;
                    options.UsePkce = true;
                    //options.Scope.Add("profile"); These scopees are added by default
                    //options.Scope.Add("openid");
Canolyb1
  • 672
  • 5
  • 17

1 Answers1

1

I would try to use this method instead:

options.ClaimActions.MapUniqueJsonKey("EmployeeType", "employeeType");

The above you have in the question, will only map the claims of the ID-token and transform them into the User object. AddOpenIdConnect does not do anything with the content of the access token. It never looks inside the access token.

The AddJwtBearer however only listens for access tokens and when you do the mapping inside AddJwtBearer, then the claims in the access token will be mapped to the user object. AddJwtBearer you use in the backend API's that receives access tokens.

To further customize the claims, you can hook into the OnTicketReceived event like what is shown in this question:

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks Tore. If you read above I've already tried both MapUniqueJsonKey and MapJsonKey but the claims still show up as the one id claim names. These claims come with the profile scope, they are not a new scope and are not taken from the userinfo endpoint. I think I'll just delete the claim using ClaimAction and add in onTokenValidated. I was hoping there's a cleaner solution. – Canolyb1 Sep 03 '21 at 15:20
  • can you post a bit more of your startup class? – Tore Nestenius Sep 03 '21 at 15:51
  • I've added most of my authentication configuration. I also have an OnTokenValidated hook to go and get some more claims from my app's database but that should be unrelated. Not sure how this helps. I'm just wondering how .net core maps the claims from accessToken not userInfo and how to update that map. – Canolyb1 Sep 03 '21 at 16:30
  • Yes sorry I may have mispoke. I'm referring to the idToken not the accessToken. The idToken is returning the following claims: employeeType givenName, LastName, mail all these claims are being a mapped to the claim principal and are added to the cookie, they show up in the User object. I just want to change their "Names / CLaimTypes" – Canolyb1 Sep 03 '21 at 17:12