Search code examples
jwtaccess-tokenidentityserver4

why am i getting role claims sometimes namespaced and sometimes without namespace

I'm using IdentityServer4 for authentication. Some clients use reference tokens, some clients use selfcontaining tokens.

  • For reference tokens I use the IntrospectionClient to exchange the accesstokens for claims.
  • For Selfcontaining tokens I use the "JwtSecurityTokenHandler.ValidateToken" to exchange the accesstoken for claims.

For the first I get the role claims with key "role", for the second I get the role claims with key "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

Any idea how to line this up to one key for both scenarios?

Solution

  • You are not saying what technology are your "Selfcontaining" clients using, but I'm assuming it is some .NET.

    Here are the solutions for:

    .NET Core:

    In your Startup.cs (of the client project) add this line:

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    Documentation for .NET Core.

    .NET Framework:

    Again in the Startup.cs add the following:

    AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

    Documentation for .NET Framework.

    This should fix your problem, and all of your claims will come with the short names.