Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Username and role claims name is changed

See original GitHub issue

I’m having trouble making authenticated requests to Azure SignalR. I have my role and name claim names set as in https://github.com/Azure/azure-signalr/issues/223.

services.AddAuthentication()
                .AddJwtBearer(cfg =>
                {
                    cfg.TokenValidationParameters.RoleClaimType =  "role";
                    cfg.TokenValidationParameters.NameClaimType = "sub";
                });

The access token issued for my client app looks like this:

{
  "asrs.s.uid": "685e9974-4c4a-4ac9-bb27-a42c05597e61",
  "asrs.s.aut": "AuthenticationTypes.Federation",
  "asrs.s.nt": "sub",
  "asrs.s.rt": "role",
  "nbf": 1552374807,
  "exp": 1552378407,
  "iss": "http://api.local.lncd.pl/auth",
  "aud": [
    "http://api.local.lncd.pl/auth/resources",
    "https://signalr-for-local-dev.service.signalr.net/client/?hub=chathub"
  ],
  "client_id": "optitruck/web",
  "sub": "685e9974-4c4a-4ac9-bb27-a42c05597e61",
  "auth_time": 1552319791,
  "idp": "local",
  "role": "business_owner",
  "company_id": "82ff842c-f297-4e62-91c1-717a01a05b94",
  "scope": [
    "openid",
    "offline_access"
  ],
  "amr": "pwd",
  "asrs.s.id": "bnX87lwAAAA=",
  "iat": 1552374807
}

The token contains sub and role claims. However, in the hub, my claims principal looks like this.

debug

It looks like my custom claim names have been substituted with default ones. As a result I cannot have role base authentication in my hubs. Note that it all works fine, when I use regular SignalR and don’t connect to Azure SignalR Service. Is this a bug or some kind of misconfiguration on my part?

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:5 (4 by maintainers)

Top GitHub Comments

2reactions

vicancycommented, Mar 14, 2019

Probably related to https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/550, JWT has a default ClaimTypeMapping to transform incoming claims to long standard claims, so when your request comes into Azure SignalR Service, we use this standard library and the claims are automatically transform.

We will fix the issue by disabling the transforming and deploy it to Azure in the upcoming week.

In the mean while, you can workaround the issue, by providing a custom claim type not in the mapping, for example:

services.AddAuthentication()
                .AddJwtBearer(cfg =>
                {
                    cfg.TokenValidationParameters.RoleClaimType =  "rolect";
                    cfg.TokenValidationParameters.NameClaimType = "subct";
                });

0reactions

vicancycommented, Aug 24, 2020

Already fixed