MaximeRouiller.Azure.AppService.EasyAuth
MaximeRouiller.Azure.AppService.EasyAuth copied to clipboard
User identity not correctly populated for v2.0 identity platform token
Hi,
An example X-MS-CLIENT-PRINCIPAL token that I see in my app looks like the following after it is decoded (I've changed name, GUIDs and scrubbed some fields by replacing bits by '...'):
{
"auth_typ": "aad",
"claims": [
{
"typ": "aud",
"val": "820645d3-b0de-4dc2-a606-24b1b8b437bb"
},
{
"typ": "iss",
"val": "https://login.microsoftonline.com/5b51c641-0711-41d2-ac58-d90390d94a00/v2.0"
},
{
"typ": "iat",
"val": "1591020589"
},
{
"typ": "nbf",
"val": "1591020589"
},
{
"typ": "exp",
"val": "1591024489"
},
{
"typ": "aio",
"val": "ATQ...5fc"
},
{
"typ": "c_hash",
"val": "Kwh...6RQ"
},
{
"typ": "name",
"val": "Joe Bloggs"
},
{
"typ": "nonce",
"val": "fa7...949"
},
{
"typ": "http://schemas.microsoft.com/identity/claims/objectidentifier",
"val": "2534519c-1ee3-47a1-a531-3d9712150821"
},
{
"typ": "preferred_username",
"val": "[email protected]"
},
{
"typ": "roles",
"val": "Read"
},
{
"typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"val": "gFO...fgNk"
},
{
"typ": "http://schemas.microsoft.com/identity/claims/tenantid",
"val": "5b51c641-0711-41d2-ac58-d90390d94a00"
},
{
"typ": "uti",
"val": "sji...OAA"
},
{
"typ": "ver",
"val": "2.0"
}
],
"name_typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"role_typ": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
}
Consequently, I think that in EasyAuthAuthenticationHandler.cs
the line
principal.AddIdentity(new ClaimsIdentity(claims, clientPrincipal.AuthenticationType, clientPrincipal.NameType, clientPrincipal.RoleType));
means that the username Joe Bloggs
is not getting correctly populated in the claims principal. Because clientPrincipal.NameType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
and doesn't match the "typ": "name"
claim. Instead claimsIdentity.Name
ends up being null
.
Have you seen this behaviour? Perhaps the format of the token has changed over time?
Thanks, Richard