Single-item-claim-array when using ClaimValueTypes.Json changing schema #18178
Comments
|
@azydevelopment Thanks for contacting us. Is there anything specific about ASP.NET Core here? All that seems to be Identity Server specific code, is there any specific piece of code where we are overriding your settings? Templates are a starting point and you are allowed to change them in whatever way suits your scenario first. I don't think this is an issue, but if you provide more details we can re-evaluate. |
javiercn
added
the
Needs: Author Feedback
|
Yep this is an issue in code in AspNetCore. Specifically in JavaScript client code. The IdentityServer code is only needed to expose the issue. The main issue is that the client side JWT processing does not honor what is actually said in the JWT. I'm not sure where exactly the bad transformation is happening but it does seem to be in AspNetCore code since the JWT itself has the right single element array in it (which also means the issue isn't in IdentityServer). |
|
We don't parse the JWT ourselves, that's part of https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet Please file the issue there. |
|
Thanks. Not a problem. Down the rabbit hole I go. |
|
Well - if you think this is happening in JavaScript - then probably this is the better place to go: |
ghost
locked as resolved and limited conversation to collaborators
and others
Describe the bug
Please see this issue: IdentityServer/IdentityServer4#3968
When sending over a JWT with an array claim with only one value, the claim in user.profile gets transformed to just a string. When an array with 2 values gets sent over in the JWT claim, user.profile sets it to an array with those 2 values.
This means that the schema changes depending on how many items are in the claim which is less than ideal and forces some special casing.
To Reproduce
Consider this code applied to a React + ASP.NET template with Individual User authentication/authorization. The snippet has IdentityServer send over the JWT claim as an array even if it only has one value in it:
The JWT that comes out on the other end does have an array with 1 value in it but user.profile transforms it into a string.
If you don't want to actually create a role before testing this, just replace
rolesJsonabove with"[\"role1\"]".From AuthorizeServices.js checking out user.profile where the claims end up on the client side:
I marked this as a bug because it overrides the explicitly defined preference of IdentityServer.
Further technical details
.NET Core SDK (reflecting any global.json):
Version: 3.1.100
Commit: cd82f021f4
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18362
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\3.1.100\
Host (useful for support):
Version: 3.1.0
Commit: 65f04fb6db
.NET Core SDKs installed:
3.0.100 [C:\Program Files\dotnet\sdk]
3.1.100 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
The text was updated successfully, but these errors were encountered: