New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot cast Newtonsoft.Json.Linq.JArray to Newtonsoft.Json.Linq.JToken #4669
Comments
That's odd. Did it work in 1.1? Side note: there's a rethrow here that's dropping the original stack trace https://github.com/aspnet/Security/blob/5b29bced0d2f1cfc78843bcd9ec9a828c6fb5fef/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs#L98 Can you hook into the OnRemoteFailure event and get the original stack trace? |
Yes it works in 1.1 and now I use core 1.1 |
|
That's more interesting. break it under the debugger and see which claim it is. It's getting back a list when it's only expecting a single item. Sharing a sanitized dump of the user-info http response would be helpful as well. Fiddler can help you capture that. |
I think there is no user info and it throw before sending request. the problem should be on parsing the token
|
Sorry it was because of https here is dump
|
It looks like the It looks like IdentityServer4 is using a non-standard name format. |
Yes you right the problem must be there how I missed it :) thank you |
I talk with identityserver team and they ask, how said we cannot have more than one claim. |
Ideally we'd have improved error handling when parsing these messages. We should detect that data types are incorrect (as well as other issues) and throw proper exceptions for those. |
Maybe you need more flexible parsing instead. |
My understanding was that the data type must be a string per the protocol. If that's not correct, or I've misunderstood, I agree we need to consider making it more flexible. |
I agree that multiple names are an edge case and not directly specified by the OIDC spec. But this is just the general problem of translating JWTs/JSON to .NET claims. We've been through that, and just made our code a bit more "permissive". |
@leastprivilege is it an edge case or is it invalid (per the spec)? @Tratcher in the discussion that we had it was mentioned that it's not valid - do you have a spec pointer about that? |
It's quoted above: https://github.com/aspnet/Security/issues/1383#issuecomment-324461357 |
Ah, sure, so if the spec says this field in particular must be a string, I think it's fine to not support any other behavior. We just need to see if we can make it be a better error behavior. |
FYI in my specific case it was |
I ran into this exception while connecting my application to IdentityServer4 with AzureAD as external authentication provider. My application is using Hybrid flow to connect to IdentityServer4. I get properly redirected to Azure, login, and
If I configure my application to use Implicit flow this exception is not observed. In my case AzureAD returns 2 |
Yep, thanks to this post, I figured out that is was the 'name' claim that was a string[] instead of a string. I confirmed that AAD sends two name claims: one is issued by AAD provider the other is LOCAL AUTHORITY. Our identity server has always stored and passed on interesting claims like name, phone, etc. as part of the profile. Seems like the latest changes to .NET Core are enforcing the types for certain claim types. I updated our identity server to not pass on the local authority issuer claims. The only one I ever see is for name. I tested with an AAD "visitor" id and a regular AD user. Now there is only one name claim and it will be the human friendly version issued by AAD. |
In my case the problem relates to IDS4 returning the role claim as an array when the user has multiple roles (see http://docs.identityserver.io/en/release/endpoints/userinfo.html). This causes an exception when trying to get the role into the Principal via:
I've got around this as follows:
|
Thank you so much @mstrong64! You just saved me from getting completely insane here. 👍 |
Let's improve the error here to at least say what property didn't match what was expected per the spec (and maybe info about the mismatched types). |
Closing because this change doesn't seem worth it. |
I had the same issue and like @mstrong64 suggested remapping some claims was the key. In my case, the name claim was the problem, since it is stored as a claim in IdentityServer4 there can be multiple instances of it Cleaning that up and we were good to go
Depending on your mapping JwtClaimTypes.Name can also be ClaimTypes.Name |
I use Identityserver4 and try to connect with a .ner core 2.0 mvc app to Open Id authentication
My Configuration is here
but I got this error :
The text was updated successfully, but these errors were encountered: