Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OpenIdConnect: setting the ClaimsIssuer property in configuration options has no effect

See original GitHub issue

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

When using the package Microsoft.AspNetCore.Authentication.OpenIdConnect in an ASP.NET Core application to add external login providers supporting OpenId Connect protocol, setting the ClaimsIssuer property in OpenIdConnectOptions has no effect; the principal claims still get generated with the issuer that comes from the external identity provider.

This behavior is in contrast with other social media login providers (Microsoft Account, Facebook, Google, etc.) where specifying this property in the configuration options would cause the principal claims to be issued with the specified claims issuer.

Is is possible to fix that so the ClaimsIssuer option in the OpenId Connect client works the same way it does in other social login provider packages? That way we can use it for any external identity provider that supports the OpenId Connect protocol but does not have a specific package built for it.

Expected Behavior

Once the ClaimsIssuer property of the OpenIdConnectOptions is set, the principal claims should be issued with the specified claims issuer.

Steps To Reproduce

Configure the OpenIdConnect client with any identity provider that supports OpenId Connect;
Set the ClaimsIssuer property to something different (e.g. “MyCustomIssuer”) in .AddOpenIdConnect() configuration;
Verify that the actual issuer of the principal claims is unchanged.

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

Issue Analytics

State:
Created a year ago
Comments:16 (11 by maintainers)

Top GitHub Comments

2reactions

Tratchercommented, Nov 28, 2022

Workaround:

    private class IssuerFixupAction : ClaimAction
    {
        public IssuerFixupAction() : base(ClaimTypes.NameIdentifier, string.Empty) { }

        public override void Run(JsonElement userData, ClaimsIdentity identity, string issuer)
        {
            var oldClaims = identity.Claims.ToList();
            foreach (var claim in oldClaims)
            {
                identity.RemoveClaim(claim);
                identity.AddClaim(new Claim(claim.Type, claim.Value, claim.ValueType, issuer, claim.OriginalIssuer, claim.Subject));
            }
        }
    }


        services.AddAuthentication(...).AddCookie().AddOpenIdConnect(o =>
        {
           // ...
            o.ClaimsIssuer = "MyCustomIssuer";
            o.ClaimActions.Add(new IssuerFixupAction());

2reactions

Tratchercommented, Nov 28, 2022

Filed https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1972.