SWA Users - support `userDetails`, `userId` from `X-MS-CLIENT-PRINCIPAL` payload

[yorek]

If X-MS-CLIENT-PRINCIPAL contains the following (base64-encoded) JSON

{  
  "identityProvider": "test",
  "userId": "12345",
  "userDetails": "john@contoso.com",
  "userRoles": ["role1", "role2", "author"],
  "claims": [{
    "typ": "SeriesId",
    "val": 10000
  }]
}

it will not be correctly interpreted as a valid client principal and thus the request will not be considered authenticated. The issue is with the val element, that contains an integer and not a string. Changing the value integer value 10000 into the string value "10000" allows authentication to work as expected

[seantleonard]

Before deciding on what/if this needs to be updated, I'll need to check SWA environment to see if it converts all claim values to strings.

I followed .NET class Claim to implement the claim value as a string https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claim.value?view=net-6.0

[yorek]

I see, that makes sense. But in the case we really can only have strings in claims, that will be an issue that we have to discuss, as it will be impossible for a user to compare a string to a number, like I tried to do, which is a very common use case.

[seantleonard]

Thoughts:
Claims will retain their value types from the JWT token/base 64 encoded json payload, which are limited to the type that are allowed for JSON.

• PR Enable Authentication/Authorization Dynamic Runtime Configuration for Hosting #795 was merged for Oct2022 release which will attempt to convert instances of @claims.claimName into the value type represented in the OData model that is generated at startup. Take a look at that PR description to get detailed explanation.
• Investigating how SWA does/does not insert certain claims into the SWA token payload prior to closing this issue. I noticed that, even with a JWT token full of claims, SWA did NOT add those to their auth paylod. (might be a bug on their side, im confirming.)