Search code examples
.net.net-coreopenid-connect.net-5

Rename profile claim mapping in .net core openid connect configuration

I have multiple claims being sent back in the profile scope. These claims include:

employeeType mail givenName

These accessToken claims are being automatically mapped to the same name. I would like them to be changed to change the mapping as follows:

employeeType = EmployeeType

mail = Mail

givenName = FirstName

I tried using MapJsonKey() but its' not working I also tried MapUniqueJsonKey(). I think these may only be used for userInfoClaims?

    options.ClaimActions.MapJsonKey("EmployeeType", "employeeType");
    options.ClaimActions.MapJsonKey("FirstName", "givenName");
    options.ClaimActions.MapJsonKey("Email", "Mail");

Is there a way to map these to different name, or do I have to delete the claims and add them to the Prinical using OnTokenValidated hook?

This is my authentication configuration in startup.

            services.AddAuthentication(options => {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                })
                .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, o =>
                {
                    o.Cookie.Name = "GCOWebCookie";
                    o.AccessDeniedPath = "/AccessDenied";
                })
                .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => {
                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                    options.Authority = config["OneId:Authority"];
                    options.ClientId = config["OneId:ClientId"];
                    options.ResponseType = "code";
                    options.ClientSecret = config["OneId:ClientSecret"];
                    options.SaveTokens = true;
                    //options.GetClaimsFromUserInfoEndpoint = true;
                    options.UsePkce = true;
                    //options.Scope.Add("profile"); These scopees are added by default
                    //options.Scope.Add("openid");
Solution

  • I would try to use this method instead:

    options.ClaimActions.MapUniqueJsonKey("EmployeeType", "employeeType");

    The above you have in the question, will only map the claims of the ID-token and transform them into the User object. AddOpenIdConnect does not do anything with the content of the access token. It never looks inside the access token.

    The AddJwtBearer however only listens for access tokens and when you do the mapping inside AddJwtBearer, then the claims in the access token will be mapped to the user object. AddJwtBearer you use in the backend API's that receives access tokens.

    To further customize the claims, you can hook into the OnTicketReceived event like what is shown in this question:

    To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging OpenID Connect claim problems in ASP.NET Core