Open null-d3v opened 1 year ago
Thanks for opening this issue! We'll consider this for a future release. For now, are you able to accomplish what you need with a customized profile service?
Yep, it is just slightly inconsistent and requires a slightly contrived setup.
When issuing claims from the profile service the ClaimsIdentity
could have an Actor
from the default scheme or an act
claim with a JSON claim value type.
Which version of Duende IdentityServer are you using? 6.2.3
Which version of .NET are you using? 7.0.5
Describe the bug The actor ,
act
, claim on an access token is not converted toClaimsPrincipal.Actor
inIProfileService.GetProfileDataAsync
.To Reproduce Issue an access token with an actor claim in
IProfileService.GetProfileDataAsync
forProfileDataCallers.ClaimsProviderAccessToken
:When
IProfileService.GetProfileDataAsync
executes forProfileDataCallers.UserInfoEndpoint
, theProfileDataRequestContext.Subject
ClaimsPrincipal.Claims
are a 1:1 translation of the access token claims. Specifically, theClaimsPrincipal
contains anact
claim with a JSON string value.Expected behavior I would expect that the actor claim would be applied to
ClaimsPrincipal.Actor
in this case. I would also expect that this would operate for nested actor claims in the access token, applying to nestedClaimsPrincipal.Actor
s.Additional context I understand the nuances with converting the OAuth/OIDC specs to .NET auth operation models, but this seems an appropriate behavior.
I also understand the
ClaimsPrincipal
is created from the access token in IdentityModel'sPrincipal.Create
. I'm uncertain as to if this would be addressed in IdentityModel or IdentityServer.