I've an api which supports bearer tokens for authentications.
There are custom accounts and external logins. Now when a user access the api I want to access a unique identifier of the user to relate data to him.
I first thought about the subject, but there are no subject claims. So is the subject not the right thing ? or am I just missing a config? if the UniqueNameIdentifier the thing I should be using?
user.Claims.First(I => I.Type == ClaimTypes.NameIdentifier).Value;
When I use an access token which was created by authenticated with a external provider ( facebook) I can see that the NameIdentifier contains a Id, so is this reliable ?
There is also a website which also authenticates with this identityserver. There the subject is returned and I can see it has the sameValue als this nameIdentifier. But why is there an offset, why isn't in the api config the value returned as subjec?
What is the recommended way
My config in the consuming api is:
string identServer = ConfigurationManager.AppSettings["pluto:identity:server:url"];
app.UseIdentityServerBearerTokenAuthentication(new IdentityServer3.AccessTokenValidation.IdentityServerBearerTokenAuthenticationOptions()
{
Authority = identServer ,
});
and the configuration in the indentity server is:
return new Client
{
Enabled = true,
ClientId = "pluto",
ClientName = "Pluto Site",
ClientSecrets = new List<Secret>
{
new Secret("foo".Sha256())
},
Flow = Flows.ResourceOwner,
AllowedScopes = new List<string>
{
Constants.StandardScopes.OpenId,
"read"
}
};
Use the subject claim. It's used to uniquely identify a user, that's what the jwt claim type is for.