identityserver3 - Is 'sub' claim part of openid scope or profile scope? -


as per openid connect specification sub claim part of openid scope or profile scope? not find information

update1
using identityserver3 authentication. client making request server below. in response don't sub claim required per open id connect specification. response include http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier has same value sub nameidentifier same sub claim.

here client request

    public void configuration(iappbuilder app)     {         app.usecookieauthentication(new cookieauthenticationoptions         {             authenticationtype = "cookies"         });          app.useopenidconnectauthentication(new openidconnectauthenticationoptions         {             authority = "https://localhost:44314/identity",             scope = "openid",             clientid = "localhostmvcclient",             redirecturi = "http://localhost:34937/",             responsetype = "id_token",             signinasauthenticationtype = "cookies",         }    }

id_token response

enter image description here

update 2
based on comments below have updated client's startup file

    private void turnoffmicrosoftjwtmapping()     {         //the long claim names come microsoft’s jwt handler trying map claim types .net’s claimtypes class types.          //we can turn off behavior following line of code (in startup).         //this means need adjust configuration anti-csrf protection new unique sub claim type:         antiforgeryconfig.uniqueclaimtypeidentifier = claimtypes.subject;         jwtsecuritytokenhandler.inboundclaimtypemap = new dictionary<string, string>();     }

and call method in client's startup

public class startup {     public void configuration(iappbuilder app)     {         turnoffmicrosoftjwtmapping();          //configure openidconnect request here     } }

sub required claim of id_token - , openid scope required minimum scope make openid connect authentication request. can mix openid other scopes - openid must present.

that's relationship.

identityserver emits standard claim types (e.g. sub) according to:

https://openid.net/specs/openid-connect-core-1_0.html#standardclaims

it's microsoft jwt handler turns these standard claims microsoft proprietary ones. can turn annoying behaviour off via:

jwtsecuritytokenhandler.inboundclaimtypemap.clear()


Comments

Post a Comment