"unknown" username logged in GetAccessTokenAsync when interacting with ADFS

DuendeSoftware / Support

Support for Duende Software products

20 stars 0 forks source link

"unknown" username logged in GetAccessTokenAsync when interacting with ADFS #1374

Closed hybrid2102 closed 1 day ago

hybrid2102 commented 3 weeks ago

Which version of Duende.AccessTokenManagement are you using? 3.0.0

Which version of .NET are you using? 8

Describe the bug When interacting with ADFS the real username can't be logged (the result is "unknown").

Additional context Upon reviewing the method “GetAccessTokenAsync”, it seems the correct username can be retrieved by modifying lines 68-69 from:

        var userName = user.FindFirst(JwtClaimTypes.Name)?.Value ??
                       user.FindFirst(JwtClaimTypes.Subject)?.Value ?? "unknown";

to:

        var userName = user.FindFirst(JwtClaimTypes.Name)?.Value ??
                       user.FindFirst(JwtClaimTypes.Subject)?.Value ?? user.FindFirst(ClaimTypes.Name)?.Value ?? "unknown";

Rather than proposing this change, I would like to understand if I am missing some configuration.

Thank you!

RolandGuijt commented 1 week ago

Microsoft's OpenID Connect handler will automatically map certain well-known claim names to claim names with namespaces in front of it. One of these claims is the name claim. The ClaimTypes static class contains all these mapped claim names. When configuring the handler please set the MapInboundClaims option to false to turn off this behavior and the existing code will work. Instead of using the Microsoft specific way of naming claims we use names as they are written in the OpenID Connect specification. Note that when you turn off this option the names of other claims you're checking with ClaimTypes will change too.

hybrid2102 commented 1 week ago

Thank you for your suggestion. I tried setting the MapInboundClaims option to false, but now the username is being read from the “sub” claim. Instead, I need it to be read from the “unique_name” claim. Is there a way to configure this mapping? Thanks again!

RolandGuijt commented 1 day ago

The userName variable in that method is just used for logging. The sub claim normally is the right claim to use to identify the user: why do you want it to be anything else? Unfortunately there is no way to change it except for writing your own IUserTokenManagementService implementation.

hybrid2102 commented 1 day ago

Thank you, Roland.

I would like to change the claim to have a more understandable log. I will go in the direction you indicated if there are no other solutions.

Thanks again.