azure-activedirectory-identitymodel-extensions-for-dotnet
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard
AzureAD
NameClaimType Doesn't Seem like Validation in TokenValidationParameters
Apparently one must configure where to get the user's name claim from so that they can perform operations like var name = User.Identity.Name;
In the following Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi example, the value is configured via TokenValidationParameters.
That doesn't feel right to me. It is not validating the name claim, it is telling it where to find it, no?
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(AadInstance, Tenant, DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
....
// Specify the claims to validate
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
},
}
);
Sets the claim type that specifies the Name property. The claim type is used to search for a Claim in the collection of ClaimsIdentity objects returned by the ValidateToken method of this token handler. The value of the matching claim is then set as the name of the IIdentity generated from this token handler.
Reference: Azure AD B2C: User.Identity.Name is null, but User.Identity.m_instance_claims[9] has the name
Reference: https://github.com/aspnet/AspNetKatana/issues/186
Duplicate? What more are you hoping for here beyond the Katana discussion?
@spottedmahn if TokenValidationParameters.NameClaimType is set to "name", then the Property ClaimsIdentity.Name will return the value of the first Claim where Claim.Type=="name". By default the value is: ClaimTypes.Name == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Hey @Tratcher - I was going to the "owner" of TokenValidationParameters to get their 2 cents 😊
After the Katana discussion/research, I understand Katana is taking a dependency on this project.
It's not a big deal, it just doesn't feel right. To me, it is not self-documenting. Seems to be violating the Single Responsibility Principle too. Maybe I'm not understanding something though. Just an outsiders viewpoint.
On the surface, it would seem there should be a TokenValidationParameters class and a TokenConfigurationParameters class.
@spottedmahn I get your point. Controlling the result of ClaimsIdentity.Name is probably not what one thinks about when validating a token. It is a separate step, ClaimsConfigurationParameters (or something named like it) may be a good container for all the settings one may want to use. I'll reopen for now, and let's think about it. We want to get a release ready by mid april. So I don't think it fits this release. A future release will have an async pattern and will require new apis. Passing in a context returning a result may naturally fit into that.
Hey @brentschmaltz - thanks for the update!! ⚡
Sounds good to me. Let me know if I can help. Happy to submit a PR 😊!
