Search code examples
asp.net-coreoauthidentityserver4claims

Difference between ClaimActions.Remove and ClaimActions.DeleteClaim

I'm trying to learn OAuth2 and IdentityServer4.

I would like to know the difference between ClaimActions.Remove and ClaimActions.DeleteClaim in Microsoft.AspNetCore.Authentication.OAuth.Claims

I'm trying to follow some tutorials and documentation on Microsoft

In my code, I do something like this for testing:

options.ClaimActions.Remove("amr");
options.ClaimActions.DeleteClaim("sid"); 
options.ClaimActions.DeleteClaim("idp");

However, I can still see all three when I decrypt the JwtToken.

Example of my JwtToken:

{
  "nbf": 1568057488,
  "exp": 1568061088,
  "iss": "https://localhost:44378",
  "aud": "https://localhost:44378/resources",
  "client_id": "oauthtestwebclient",
  "sub": "78452916-D260-4219-927C-954F4E987E70",
  "auth_time": 1568057485,
  "idp": "local",
  "scope": [
    "openid",
    "profile",
    "address"
  ],
  "amr": [
    "pwd"
  ]
}

So, I don't understand why it's not removing those claims from the generated JwtToken

I would like to know the difference and use cases for both methods. Could you please help me to explain them?

Solution

  • Claim actions allow modifying how claims from an external provider are mapped (or not) to a claim in your ClaimsPrincipal. That doesn't affect your jwt token claims .

    Let's start with the default ASP.NET Core OIDC middeware :

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "http://localhost:5000";
        options.RequireHttpsMetadata = false;

    });

    By default , the ASP.NET Core OIDC middeware will ignore some claims that won't be map to user claim , refer to source code:

    ClaimActions.DeleteClaim("nonce");
ClaimActions.DeleteClaim("aud");
ClaimActions.DeleteClaim("azp");
ClaimActions.DeleteClaim("acr");
ClaimActions.DeleteClaim("iss");
ClaimActions.DeleteClaim("iat");
ClaimActions.DeleteClaim("nbf");
ClaimActions.DeleteClaim("exp");
ClaimActions.DeleteClaim("at_hash");
ClaimActions.DeleteClaim("c_hash");
ClaimActions.DeleteClaim("ipaddr");
ClaimActions.DeleteClaim("platf");
ClaimActions.DeleteClaim("ver");

    So that even Jwt token includes above claims , after authentication , user claims won't include above claims since they are ignored when mapping .

    enter image description here

    If using options.ClaimActions.Remove("amr"); , that means amr will map to user claimsprincipal .

    If using ClaimActions.DeleteClaim("sid");, that means sid will not map to user claims .

    So if using your test options , the result will be :

    ![enter image description here