search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.43k stars 2.4k forks source link

User.Identity.Name is null despite using valid OpenId bearer token with claim for name #9533

Closed jersiovic closed 3 years ago

jersiovic commented 3 years ago

Describe the bug

Using a bearer token provided by openid module which contains a claim with the user name, when User.Identity.Name is accessed its value is null despite a claim for name is present at User.Claims. It seems that current configuration Is not mapping properly claims to User.Identity model.

To Reproduce

Steps to reproduce the behavior:

  1. Check out last bits o Orchard dev branch
  2. Setup an Orchard site
  3. Enable modules: OpenID Core Components, OpenID Authorization Server, OpenID Management Interface, OpenID Token Validation, and Contents Module
  4. Configure OpenID settings from dashboard to allow all endpoints,, password flow and refresh flow. Disable Rolling TRefresh Tokens, Chose JSON Web Token (JWT) as token format and Disable Access Token Encryption.
  5. Create an openid confidential client app that allows password and refresh flows
  6. Request an access token with postman for admin user, see screenshot section for used data
  7. Add a break point at content module controller for route /api/content/ to check value for User.Identity.Name when an action is performed
  8. Request with postma a resource to contents api from module controller using the bearer token as is done in the screenshot.
  9. You can check that User.Identity.Name has a null value however as you can see at the screenshot the claim for with the name exists

Expected behavior

I would expect the name "admin" would be at User.Identity.Name

Screenshots

image image image

jersiovic commented 3 years ago

@kevinchalet may be the answer you gave here is related with this problem https://github.com/openiddict/openiddict-core/issues/1227 However I've not been able to do sth with that answer at Orchard source

kevinchalet commented 3 years ago

The OpenID module would have to map the WS-Fed ClaimTypes.Name to name for that to work (the OpenIddict validation handler uses name for the name claim).

jersiovic commented 3 years ago

Cool, it works, I'm going to submit a PR asap thank you

kevinchalet commented 3 years ago

I'm pretty sure there are a few tickets about making this part configurable. We should maybe make the mapping configurable using some sort of script?

deanmarcussen commented 3 years ago

for info https://github.com/OrchardCMS/OrchardCore/issues/7671

agriffard commented 3 years ago

Fixed by #9555