Add ClaimActions for bulk add and remove

[Tratcher]

#1609 @leastprivilege @brockallen how does this look? It covers your asks in three parts:

• Clear the JWT claims type map.
• Map all claims
• bulk delete protocol claims

[HaoK]

Shorten to MapAll to be consistent with all the other methods that don't have Claims suffix?

[HaoK]

Delete?

[Tratcher]

People have been very confused by Remove vs Delete. We need to avoid aggravating that.

[HaoK]

you could also just change DeleteClaim to take a params string[] right?

[Tratcher]

In theory, but it would be binary breaking.

[HaoK]

Nit: can you something like this?

var duplicate = identity.FindFirst(c => c.Key == pair.Key && string.Equals(c.Value, claimValue, StringComparison.Ordinal) != null

[HaoK]

Consider enhancing DeleteClaimAction type to take a list of claims so you don't have to add one action per type?

[Tratcher]

Performance wise it's the same, you still need to loop through all of the names.

Adding them individually preserves the functionality of methods like ClaimActionsCollection.Remove(claimType) that removes the action by name.

[HaoK]

Pretty sure that's exactly the behavior that's confusing today.

options.ClaimActions.Remove("something") you would think is the same as options.ClaimActions.DeleteClaim("something").

I think this api should be mostly focusing on making it easy to do the common things.

MapJsonKey
MapAll
Delete

[HaoK]

The list of delegate/actions is fine as an implementation detail, but I really don't think generally developers should have to understand/deal with that... when all they want to do is include/ignore some set of claims. Only someone who is trying to plug in a complex mapping should have to understand the whole claim action stuff

[leastprivilege]

Clear the JWT claims type map.

Maybe I am missing something - but this is only done in the sample. Not in the handler...I want this to be turned off by default. Your default mapping can do the conversion from standard to propriety if that is a requirement.

Map all claims
bulk delete protocol claims

Can't we make that one operation like

MapAll(params string[] filterList)

[Tratcher]

RemoveProtocolClaims
MapAllUserInfo

[leastprivilege]

just to be really clear

this

var handler = new JwtSecurityTokenHandler();
handler.InboundClaimTypeMap.Clear();
o.SecurityTokenValidator = handler;

is not really an improvement over just turning of the inbound claims mapping globally via their static DefaultInboundClaimTypeMap.

I would like to see no claims mapping at all.

[Tratcher]

@leastprivilege @brockallen Updated. MapAllExcept combines both operations like you asked.

[brockallen]

Thanks. Will investigate.

[leastprivilege]

..and what about the claim type mappings - will this be turned off at the handler level by default?

[Tratcher]

That's a breaking change, I can't do that right now.

[Tratcher]

@leastprivilege @brockallen please review this week or we'll need to close this PR.

[brockallen]

I have a VM with preview-1. I assume I can just pull the source for this and test that.

[leastprivilege]

That's a breaking change, I can't do that right now.

Two things you can do:

• Do the mapping of standard to proprietary claims in the default claim actions
• Allow setting/clearing the inbound claim type map directly on the OIDC handler options

[Tratcher]

@brockallen the code should even work against 2.0 RTM.

[Tratcher]

@leastprivilege

Do the mapping of standard to proprietary claims in the default claim actions

I don't follow. Can you give an example?

Allow setting/clearing the inbound claim type map directly on the OIDC handler options

So the code you want to simplify is:

                var handler = new JwtSecurityTokenHandler();
                handler.InboundClaimTypeMap.Clear();
                o.SecurityTokenValidator = handler;

Down to something like o.InboundClaimTypeMap.Clear();? That might be doable but it would rely on downcasting ISecurityTokenValidator SecurityTokenValidator to it's default type JwtSecurityTokenHandler.

[brockallen]

@brockallen the code should even work against 2.0 RTM.

Even easier. I'll do it first thing tomorrow.

[leastprivilege]

I don't follow. Can you give an example?

Well - you could have a MakeYourClaimsWorse (naming is up to you ;)) option. And when it is set - whenever you run a claim action, you use the dictionary provided by the JwtSecurityTokenHandler to do a mapping if present. If not you use the raw claim types.

This way the mapping behavior would be an OIDC handler thing...

[brockallen]

I was unable to get this branch working on either 2.0 or 2.1-preview-1. Mainly build issues on the Security repo.

[Tratcher]

@brockallen no need to build this repo, you should be able to copy the MapAllClaimsAction class directly into your app. You could also copy the new extension methods if you like.

[brockallen]

When I use the new MapAll I get a null reference exception on userData. Implicit flow only in my client, BTW: ResponseType="id_token".

[brockallen]

I think all these new helpers should all call Clear on the ClaimsActions. For example:

options.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce")

Still doesn't allow amr through. I had to call:

options.ClaimActions.Clear();
options.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce");

to get amr, and so then it makes the MapAllExcept name not make much sense.

Same goes for MapAll -- all by itself it doesn't really do much.

[brockallen]

And just to repeat since I don't know if you saw it:

When I use the new MapAll I get a null reference exception on userData. This fails when I have an implicit flow only client, meaning ResponseType="id_token".

Actually, any of these new helpers fail with the same null ref exception for "id_token" only client.

[Tratcher]

Updated

[brockallen]

Cool, thanks. I think with those changes, this now becomes a nice one-liner to allow controlling which claims are kept/removed. There's of course the claim type map issue, but that's another topic/thread I assume?

[Tratcher]

Agreed, the type map is orthogonal.

[Tratcher]

@HaoK please sanity check

[HaoK]

This should call MapAll

[Tratcher]

@leastprivilege second guessing the mappings is problematic, you're better off clearing JWT's mappings. I'm going to merge this PR as your suggestions along that line are independent. I'll file a new issue to simplify clearing the JWT type map.