Access token actor claim is not converted to ClaimsPrincipal Actor

[null-d3v]

Which version of Duende IdentityServer are you using? 6.2.3

Which version of .NET are you using? 7.0.5

Describe the bug The actor , act, claim on an access token is not converted to ClaimsPrincipal.Actor in IProfileService.GetProfileDataAsync.

To Reproduce Issue an access token with an actor claim in IProfileService.GetProfileDataAsync for ProfileDataCallers.ClaimsProviderAccessToken:

if (context.Caller == IdentityServerConstants
        .ProfileDataCallers.ClaimsProviderAccessToken)
{
    context.IssuedClaims.Add(new Claim(
        JwtClaimTypes.Actor,
        """{ "sub": "sub", "idp": "idp" }""",
        IdentityServerConstants.ClaimValueTypes.Json));
}

When IProfileService.GetProfileDataAsync executes for ProfileDataCallers.UserInfoEndpoint, the ProfileDataRequestContext.Subject ClaimsPrincipal.Claims are a 1:1 translation of the access token claims. Specifically, the ClaimsPrincipal contains an act claim with a JSON string value.

Expected behavior I would expect that the actor claim would be applied to ClaimsPrincipal.Actor in this case. I would also expect that this would operate for nested actor claims in the access token, applying to nested ClaimsPrincipal.Actors.

Additional context I understand the nuances with converting the OAuth/OIDC specs to .NET auth operation models, but this seems an appropriate behavior.

I also understand the ClaimsPrincipal is created from the access token in IdentityModel's Principal.Create. I'm uncertain as to if this would be addressed in IdentityModel or IdentityServer.

[josephdecock]

Thanks for opening this issue! We'll consider this for a future release. For now, are you able to accomplish what you need with a customized profile service?

[null-d3v]

Yep, it is just slightly inconsistent and requires a slightly contrived setup.

When issuing claims from the profile service the ClaimsIdentity could have an Actor from the default scheme or an act claim with a JSON claim value type.