Simplify clearing the JWT claims type mappings

[Tratcher]

aspnet/Security#1636 (comment)

JwtSecurityTokenHandler used by JwtBearer & OIDC maps the standard OIDC claim types to long namespace names to match older protocols like WsFed. We can't disable this by default without affecting existing users. Turning this off manually requires either calling JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); at the top of our Startup Class (inside the OIDC options lamda is too late), or doing the following inside your options:

                var handler = new JwtSecurityTokenHandler();
                handler.InboundClaimTypeMap.Clear();
                o.SecurityTokenValidator = handler;

Could this be shortened to a top level option or extension method?

static void UseShortClaimTypes(this OpenIdConnectOptions options)
{
                var handler = new JwtSecurityTokenHandler();
                handler.InboundClaimTypeMap.Clear();
                options.SecurityTokenValidator = handler;
}

@leastprivilege @brockallen

[brockallen]

Could this be shortened to a top level option or extension method?

One can only hope!

UseShortClaimTypes

I prefer UseOidcProtocolClaimsTypesRatherThanWsStarClaimsTypesBecauseDotNetHasConstantsForThoseLegacyClaimsTypes...

or UseOidcProtocolClaimsTypes for short if you prefer :)

or maybe some name that implies that the claim types in the token won't be adulterated.

[brentschmaltz]

@Tratcher @brockallen we are going to add a single switch to turn off mapping in 5.2.2
We wanted to get this into 5.2.0, but it dropped off the radar.

Also, when we add Async, we will have mapping OFF by default, we will address this:
AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#550

[Eilon]

Parking in the RC1 milestone to see what @brentschmaltz and company come up with.

[brockallen]

What's the timeframe for that, @brentschmaltz?

[brentschmaltz]

@brockallen @Tratcher we are targeting a release 5.2.2 in April with a static global OFF switch.
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/milestone/24

[leastprivilege]

How is that better than clearing the default inbound claim type map?

[brentschmaltz]

@leastprivilege I was proposing the switch would turn off inbound and outbound mapping. We wouldn't have to initialize the dictionaries in the JwtSecurityTokenHandler constructor. I suppose it depends on if you care. The performance gain would be in relation to how may tokenhandlers one creates. Processing wouldn't necessarily be faster, since the bool flag could be the count as we are planning to adjust IdentityModel's code to check for the count and branch either way.

[leastprivilege]

I don't think anyone cares about perf here. Sure a "global switch" is better than clearing dictionaries.

Opting IN instead of OUT would be preferred though.

[brentschmaltz]

@leastprivilege
Sometime simple things can save 1-3%. These make a big deal to large volume services, who regularly squeak when we add %1.
We invested in running a number of perf tests and have several small improvements that will show up.

Opting IN instead of OUT would be preferred though.

I agree, for 5.2.2 we will have the BIG RED SWITCH.
Our Async work will be Opt IN.

[Eilon]

Parking in the 3.0.0 bucket because this would be a breaking change.

[brentschmaltz]

@Tratcher @Eilon we dropped IdentityModel 5.2.2 yesterday that has a the static property JwtSecurityTokenHandler.DefaultMapInboundClaims and the instance MapInboundClaims.