Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
JSON object as an `act` claim not handled properly
See original GitHub issueHello 😃
So we’ve been implementing the delegation flow for our microservices and following the specification (still draft) we found out that we can provide the chain of delegation in the act claim (RFC link) which should be a json object.
We’re using IdentityServer as a IdP and they have easy way of creating new custom grants and generating proper JWT tokens. The issue they we’re facing though right now is that it seems that JwtPayload class is not handling it properly. So below is a test code I’ve created to show you the problem:
class Program
{
static void Main(string[] args)
{
var jwtPayload = new JwtPayload("http://localhost:5001", null, null, DateTime.UtcNow, DateTime.UtcNow.AddMinutes(2));
var delegationClaim1 = new DelegationActorClaim("client1", string.Empty);
var delegationClaim2 = new DelegationActorClaim("client2", JsonSerializer.Serialize(delegationClaim1));
var delegationClaim3 = new DelegationActorClaim("client3", JsonSerializer.Serialize(delegationClaim2));
var delegationClaim4 = new DelegationActorClaim("client4", JsonSerializer.Serialize(delegationClaim3));
var claim = delegationClaim4.ToClaim();
// jwtPayload.AddClaim(claim);
jwtPayload.Add("act", JToken.FromObject(delegationClaim1));
var jwtHeader = new JwtHeader();
var jwt = new JwtSecurityToken(jwtHeader, jwtPayload);
var handler = new JwtSecurityTokenHandler();
var result = handler.WriteToken(jwt);
Console.ReadKey();
}
}
public class DelegationActorClaim
{
[JsonPropertyName("sub")]
public string ClientId { get; set; } = null!;
[JsonPropertyName("act")]
public DelegationActorClaim? Actor { get; set; }
public DelegationActorClaim() {}
public DelegationActorClaim(string clientId, string? previousActor)
{
ClientId = clientId;
if (string.IsNullOrWhiteSpace(previousActor))
{
return;
}
Actor = JsonSerializer.Deserialize<DelegationActorClaim>(previousActor);
}
public Claim ToClaim()
{
return new Claim("act", JsonSerializer.Serialize(this), "json");
}
}
The result of running this code is a JWT token like this: e30.eyJuYmYiOjE1OTc4MTg4MTMsImV4cCI6MTU5NzgxODkzMywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiYWN0Ijp7IkNsaWVudElkIjpbXSwiQWN0b3IiOltdfX0.
And inspecting it on jwt.io yields following result:
{
"nbf": 1597818813,
"exp": 1597818933,
"iss": "http://localhost:5001",
"act": {
"ClientId": [],
"Actor": []
}
}
For some reason both CientId and Actor are empty arrays.
Tested with: .NET Core 3.1 System.IdentityModel.Tokens.Jwt 6.7.1
Issue Analytics
- State:
- Created 3 years ago
- Comments:32 (18 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The short of it is though that we need an easy way to take json and have it serialize properly. I think the simplest example is the
addressclaim type from OIDC.BTW, this is the major blocker why IdentityServer was unable to upgrade to the current version of “System.IdentityModel.Tokens.Jwt”. We have to pin against version 5.6.0 because of this regression in 6x.
Yes - it is pretty annoying that this doesn’t get fixed. The related issues around JSON objects and the discovery endpoint prevents customers from upgrading to .NET 5.