ConfigureJwtBearer hardcodes MapInboundClaims to false, NameIdentifier is Null IdentityServer, Sub not mapped to NameIdentifier

[mitch-tofi]

Documentation here : http://docs.identityserver.io/en/3.1.0/topics/apis.html

States use AddJwtBearer or AddIdentityServerAuthentication will yield the same results as it uses the same library internally for the most part this is correct however

when using the method overload in the example

       services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                // base-address of your identityserver
                options.Authority = "https://demo.identityserver.io";
                // name of the API resource
                options.ApiName = "api1";
            });

Inbound claims are not mapped like they are in AddJwtBearer.

Lines 210-216 of IdentityServerAuthenticationOptions.cs explicitly sets a handler that prevents this.

however in previous comments on github etc https://github.com/IdentityServer/IdentityServer4/issues/3642

this solution doesn't work, because the handler is instantiated here and passed in. so the static instance is never used.

should this code use the static instance instead? or have some sort of override? i can see in code history there was one but was removed.

[mitch-tofi]

Adding to this ticket is a workaround:

Create this class:

   public class ConfigureJwtBearerOptions : IPostConfigureOptions<JwtBearerOptions>
    {
        public void PostConfigure(string name, JwtBearerOptions options)
        {
            options.SecurityTokenValidators.Clear();
            options.SecurityTokenValidators.Add(new JwtSecurityTokenHandler()
            {
                MapInboundClaims = true
            });
        }
    }

Add this to the services collection: services.AddSingleton<IPostConfigureOptions<JwtBearerOptions>, ConfigureJwtBearerOptions>();

[leastprivilege]

Why do you want to map claims to Microsoft proprietary values? Doesn't make sense.

[mitch-tofi]

Some libraries by default rely on NameIdentifier (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) eg https://docs.microsoft.com/en-us/aspnet/core/signalr/groups?view=aspnetcore-3.1

Not saying that their proprietary values make sense, and there is a work around so perhaps that should be part of the documentation?

[leastprivilege]

Yes - it should be part of Microsoft's documentation.

[mitch-tofi]

Ok.

Well I hope other people who run into this issue can see this ticket and help them with any issues this may cause from them.

Updated Title to reflect the issue.