Reputation: 26717
ASP.NET Core 8 OpenID Connect - SUB claim missing on User.Identity
I upgraded my ASP.NET MVC Core 7.0 website to ASP.NET MVC Core 8.0. The site uses OpenID Connect identity provider for login.
After update, my sub claim went missing in ClaimsPrincipal.Identity.Claims collection. I would get:
System.NullReferenceException: 'Object reference not set to an instance of an object.'
when trying to get sub claim:
string userId = User.Identity.FindFirst("sub").Value;
Upon further inspection, I noticed that sub claim is actually remapped to a different claim:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
This happens despite having default JWT token mappings removed in startup configuration (which worked previously, in ASP.NET Core 7.0 and earlier):
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
How can I fix this issue?
Upvotes: 14
Views: 7354
Answers (3)
Reputation: 1
See this answer: https://stackoverflow.com/a/78650835/19375103
just install Microsoft.IdentityModel.Protocols.OpenIdConnect corresponding to the version of Microsoft.AspNetCore.Authentication.OpenIdConnect
And enable .UseSecurityTokenValidators = true
Upvotes: -1
Reputation: 3659
If you are using the AddOpenIdConnect extension from Microsoft.AspNetCore.Authentication.OpenIdConnect, you can also configure it for a specific authentication handler:
builder.Services
.AddAuthentication()
.AddOpenIdConnect(options =>
{
// your configuration
options.MapInboundClaims = false;
});
Upvotes: 5
Reputation: 26717
.NET 8.0 has various breaking changes compared to earlier version and they are listed here Breaking changes in .NET 8.
In particular, this breaking change is affecting upgrade of the NuGet package Microsoft.AspNetCore.Authentication.OpenIdConnect from 7.0.* to 8.0.*.
One of those changes, detailed here Security token events return a JsonWebToken affects Microsoft.AspNetCore.Authentication.OpenIdConnect.TokenValidatedContext.SecurityToken, which in turn affects OpenID Connect client behavior. Reason for the breaking change was 30% improvement in performance, according to the Microsoft article.
In order to fix the issue in ASP.NET Core 8.0+ the line:
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
has to be changed into:
Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();
After this change, mapping of OpenID Connect authentication claims will behave same as in earlier .NET versions.
Upvotes: 35
Related Questions
- How do I get client IP address in ASP.NET Core?
- How do you create a custom AuthorizeAttribute in ASP.NET Core?
- Resolving instances with ASP.NET Core DI from within ConfigureServices
- How to register multiple implementations of the same interface in Asp.Net Core?
- ASP.NET Core form POST results in a HTTP 415 Unsupported Media Type response
- How to return HTTP 500 from ASP.NET Core RC2 Web Api?
- ASP.NET Core Get Json Array using IConfiguration
- Anti-forgery token issues
- Why .Net Core has its own claim types?