MaximeRouiller.Azure.AppService.EasyAuth icon indicating copy to clipboard operation
MaximeRouiller.Azure.AppService.EasyAuth copied to clipboard

Published 20 hours ago verified publisher icon MaximRouiller

User identity not correctly populated for v2.0 identity platform token

Open rars opened this issue 4 years ago • 0 comments

Hi,

An example X-MS-CLIENT-PRINCIPAL token that I see in my app looks like the following after it is decoded (I've changed name, GUIDs and scrubbed some fields by replacing bits by '...'):

{
  "auth_typ": "aad",
  "claims": [
    {
      "typ": "aud",
      "val": "820645d3-b0de-4dc2-a606-24b1b8b437bb"
    },
    {
      "typ": "iss",
      "val": "https://login.microsoftonline.com/5b51c641-0711-41d2-ac58-d90390d94a00/v2.0"
    },
    {
      "typ": "iat",
      "val": "1591020589"
    },
    {
      "typ": "nbf",
      "val": "1591020589"
    },
    {
      "typ": "exp",
      "val": "1591024489"
    },
    {
      "typ": "aio",
      "val": "ATQ...5fc"
    },
    {
      "typ": "c_hash",
      "val": "Kwh...6RQ"
    },
    {
      "typ": "name",
      "val": "Joe Bloggs"
    },
    {
      "typ": "nonce",
      "val": "fa7...949"
    },
    {
      "typ": "http://schemas.microsoft.com/identity/claims/objectidentifier",
      "val": "2534519c-1ee3-47a1-a531-3d9712150821"
    },
    {
      "typ": "preferred_username",
      "val": "[email protected]"
    },
    {
      "typ": "roles",
      "val": "Read"
    },
    {
      "typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
      "val": "gFO...fgNk"
    },
    {
      "typ": "http://schemas.microsoft.com/identity/claims/tenantid",
      "val": "5b51c641-0711-41d2-ac58-d90390d94a00"
    },
    {
      "typ": "uti",
      "val": "sji...OAA"
    },
    {
      "typ": "ver",
      "val": "2.0"
    }
  ],
  "name_typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
  "role_typ": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}

Consequently, I think that in EasyAuthAuthenticationHandler.cs the line

principal.AddIdentity(new ClaimsIdentity(claims, clientPrincipal.AuthenticationType, clientPrincipal.NameType, clientPrincipal.RoleType));

means that the username Joe Bloggs is not getting correctly populated in the claims principal. Because clientPrincipal.NameType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" and doesn't match the "typ": "name" claim. Instead claimsIdentity.Name ends up being null.

Have you seen this behaviour? Perhaps the format of the token has changed over time?

Thanks, Richard

rars avatar Jun 01 '20 15:06 rars