IDX21345: OpenIdConnectProtocolValidationContext.UserInfoEndpointResponse does not contain a 'sub' claim

DuendeSoftware / Support

Support for Duende Software products

21 stars 0 forks source link

IDX21345: OpenIdConnectProtocolValidationContext.UserInfoEndpointResponse does not contain a 'sub' claim #1356

Closed psiservices-robswan closed 3 months ago

psiservices-robswan commented 4 months ago

Which version of Duende IdentityServer are you using? 6.3.3

Which version of .NET are you using? 7

Describe the bug

We are getting this error: IDX21345: OpenIdConnectProtocolValidationContext.UserInfoEndpointResponse does not contain a 'sub' claim, cannot validate. after calling the userInfo endpoint of an external provider

the userInfo response looks like this (redacted part of the jwt): { "token": "ey...Heg" } Also, the Content-Type header is 'application/json; charset=utf-8'

Is there anything I can change to accept a jwt in the userInfo?

RolandGuijt commented 3 months ago

Most likely this isn't an IdentityServer issue. The error is generated by Microsoft's OpenIdConnect handler.

A way to make sure is to create a direct client for the external provider (like a razor pages web app) and set GetClaimsFromUserEndpoint to true in the configuration of the handler. If that generates the same error there is probably something wrong with the configuration of the external provider. Is that using IdentityServer?

psiservices-robswan commented 3 months ago

We told them they needed to just send a JSON object as the OIDC specification says to and that fixed it. This is as we suspected, but had to do due diligence.

Please close this issue. Thanks