ActiveLogin.Authentication icon indicating copy to clipboard operation
ActiveLogin.Authentication copied to clipboard
verified publisher icon ActiveLogin

Add support for nameidentifier-claim

Open nallejacobsson opened this issue 3 years ago • 5 comments

When using ActiveLogin together with ASP.NET Core Identity you can run into problems because ActiveLogin does not issue the nameidentifier-claim (ClaimTypes.NameIdentifier). ASP.NET Core Identity expects all "external providers" to issue this claim (my understanding is that this is the MS version of "sub").

It would be nice if this at least was an option.

My current workaround:

    bankid.Configure(options =>
        {
            options.Events = new RemoteAuthenticationEvents()
            {
                OnTicketReceived = context =>
                {
                    var identity = context.Principal.Identity as ClaimsIdentity;
                    identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, identity.FindFirst("sub").Value));

                    return Task.CompletedTask;
                }
            };
        })

nallejacobsson avatar Feb 28 '22 22:02 nallejacobsson

Thanks for the input! This is very similar to #337 where we've discussed a generic solution to the claims issuing part. I'll close this issue but reference it from the other one so we know that we cover your case as well.

Please chime in to the discussion at #337 and verify that it would fit your needs.

PeterOrneholm avatar Mar 01 '22 17:03 PeterOrneholm

To follow up on this. Do you know if this is this documented?

ASP.NET Core Identity expects all "external providers" to issue this claim (my understanding is that this is the MS version of "sub").

I noticed this is how they issue the claims for the Twitter Handler, so I'm up for agreeing with you: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Twitter/src/TwitterHandler.cs#L104

I had a chat with a colleague and we think we thought we were doing it "right" and what you are looking for is to clear the claims mapping on the other end. The concept is described in this blogpost: https://mderriey.com/2019/06/23/where-are-my-jwt-claims/

But we might (and probably are) wrong. Would be awesome if you could point us to some documentation on that this is how it "should be done".

PeterOrneholm avatar Mar 04 '22 15:03 PeterOrneholm

I'm reopening because it might be relevant to issue this by default.

PeterOrneholm avatar Mar 04 '22 15:03 PeterOrneholm

When using Identity with "external providers" the first step in the the flow is something like this:

        var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
        
        return Challenge(properties, provider);

On the redirect back after successful challenge the next step is this:

        var info = await _signInManager.GetExternalLoginInfoAsync();

        var signInResult = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey);

The problem is that _signInManager.GetExternalLoginInfoAsync() will always return null if no nameidentifier-claim exists. I can't find any documentation but it's obvious when looking at the MS code here:

https://github.com/dotnet/aspnetcore/blob/83c6a9fdce94a4905754797ffe7824debb044acb/src/Identity/Core/src/SignInManager.cs#L673

nallejacobsson avatar Mar 07 '22 08:03 nallejacobsson

It is now possible to transform this yourself by using the feature implemented in #350. I'm considering making this (nameidentifier) the default claim issued from version 6.0.0, will keep this issue open until that is done.

PeterOrneholm avatar Mar 21 '22 18:03 PeterOrneholm