Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authenticated request has an incorret RoleClaimType

See original GitHub issue

I am using OpenIddict2.0.

My UserManager create a principal when it treat the OpenIdRequest, this UserManager is using the ClaimType role.

Then, when the user is using the token for accessing a resource, the Identity.RoleClaimType is set to http://schemas.microsoft.com/ws/2008/06/identity/claims/role instead of role. The claim role is included in the principal, but because it is not http://schemas.microsoft.com/ws/2008/06/identity/claims/role, ClaimsPrincipal.IsInRole returns false.

Is there a way for me to customize how OpenIddict is creating the ClaimsPrincipal to fix this?

Issue Analytics

State:
Created 4 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

kevinchaletcommented, Jul 15, 2020

The NameClaimType/RoleClaimType are currently not honored when using introspection, as the ClaimsIdentity is not created by IdentityModel but by OpenIddict in this case.

I opened https://github.com/openiddict/openiddict-core/issues/1026 to track that. It’s trivial to fix, so let me know if you’re interested in sending a PR 😄

0reactions

kevinchaletcommented, Jul 15, 2020

It will be fixed in the next release. In the meantime, it’s very easy to work around using a tiny handler that runs after PopulateClaims and recreates the identity with the correct name/role claim types:

options.AddEventHandler<HandleIntrospectionResponseContext>(builder =>
    builder.SetOrder(Introspection.PopulateClaims.Descriptor.Order + 1_000)
        .UseInlineHandler(context =>
        {
            if (context.Principal != null)
            {
                var identity = (ClaimsIdentity) context.Principal.Identity;
                identity = new ClaimsIdentity(identity.Claims,
                    context.Options.TokenValidationParameters.AuthenticationType,
                    context.Options.TokenValidationParameters.NameClaimType,
                    context.Options.TokenValidationParameters.RoleClaimType);

                context.Principal = new ClaimsPrincipal(identity);
            }

            return default;
        }));