Cannot get claim to client

[rwb196884]

I have a C# Blazor application with a corresponding Client that is authorising using code flow.

Running IdentityServer in debug mode I can see that when the user logs in using an external provider the corresponding idp claim is set for the user in the IdentityServer website.

However, this claim is not being passed to the client, which needs it.

I have created a Scope for the client and added idp to the ApiScopeClaims but that hasn't done it.
Nor has also creating an ApiResource and adding idp to the ApiResourceClaims.

How do I get IdentityServer to send the ipd claim to the client?

[wcabus]

IdentityServer does not do anything in particular to add nor filter away the idp claim. This claim type only appears in our Quickstart UI to help adding support for external identity providers: when you return from the external IdP, our Quickstart UI implementation adds the idp claim to visualize where the current user came from.

In your Blazor app, when configuring the OpenIdConnect authentication scheme, is there a line to disable MapInboundClaims? It should look similar to the following:

builder.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = "cookie";
        options.DefaultChallengeScheme = "oidc";
        options.DefaultSignOutScheme = "oidc";
    })
    .AddCookie("cookie", options =>
    {
        options.Cookie.Name = "__Host-blazor";
        options.Cookie.SameSite = SameSiteMode.Lax;
    })
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "https://demo.duendesoftware.com";
        options.ClientId = "interactive.confidential";
        options.ClientSecret = "secret";
        options.ResponseType = "code";
        options.ResponseMode = "query";

        options.GetClaimsFromUserInfoEndpoint = true;
        options.SaveTokens = true;
        options.MapInboundClaims = false; // <-- this is the one

        options.Scope.Clear();
        options.Scope.Add("openid");
        options.Scope.Add("profile");
        options.Scope.Add("api");
        options.Scope.Add("offline_access");

        options.TokenValidationParameters.NameClaimType = "name";
        options.TokenValidationParameters.RoleClaimType = "role";
    });

If you do not have that line options.MapInboundClaims = false;, or when it is set to true, the claim still appears when I try this, but it isn't called idp. When inbound claim mapping is enabled, I receive the following claim instead:

"http://schemas.microsoft.com/identity/claims/identityprovider": "external-idp"

[rwb196884]

I have not set options.MapInboundClaims, but apparently the default value is true. Explicitly setting it has no effect.

If I subclass the IProfileService then I can see in GetProfileDataAsync that context.IssuedClaims does not include idp. This is why I think that it's something to do with IdentityServer .

[wcabus]

And if you look at the context.Subject.Claims, does that list contain the idp claim?
Regardless, the idp claim isn't (or shouldn't) be impacted by the profile service, as there is no scope that you would add to include this claim: it's issued specifically for the current user session because it only indicates where the user signed in. It's not a long-lived property for the user, as the same user may in theory sign in from different identity providers.

If you based your IdentityServer implementation on our Quickstart UI, can you verify that your ExternalController (if you used the old controller based template) or ExternalLogin/Callback.cshtml.cs (when using Razor Pages) is adding the JwtClaimTypes.IdentityProvider claim?

[rwb196884]

I have MS's scaffolded pages in my IdentityServer projet and when logged in the user has the idp claim.

Now if I launch my app and navigate to a page that requires authorisation then I am redirected to log in and hit a breakpoint in GetProfileDataAsync(ProfileDataRequestContext context).

• context.IssuedClaims does not contain the idp claim.
• context.Subject.Claims does contain the idp claim.
• context.RequestedClaimTypes does not contain the ipd claim --- it contains only role and my custom claims, as expected. This is unexpected beause I have added ipd to the ApiScopeClaims and the ApiResourceClaims. Both of these are present in the context.

The _claimsFactory (of type Duende.IdentityServer.AspNetIdentity.UserClaimsFactory) does not add the ipd claim to the

If I now go to an IdentityServer page --- where am now logged in --- the ipd claim is present.

[rwb196884]

Bloody hell at last.
Some arsehole at Microsoft is renaming the claim to http://schemas.microsoft.com/identity/claims/identityprovider
There doesn't seem to be any way to keep it as idp.

[wcabus]

Perhaps you can try the following: created a custom class derived from the DefaultClaimsService and register this implementation instead. Then, override the GetStandardSubjectClaims method to look for the http://schemas.microsoft.com/identity/claims/identityprovider in case there is no idp claim:

protected override IEnumerable<Claim> GetStandardSubjectClaims(ClaimsPrincipal subject)
{
    var claims = base.GetStandardSubjectClaims(subject);
    if (claims.Any(x => x.Type == JwtClaimTypes.IdentityProvider))
    {
        // no need to look for an "idp" claim, it's already there
        return claims;
    }

    var idpClaimValue = subject.FindFirstValue("http://schemas.microsoft.com/identity/claims/identityprovider");
    
    return !string.IsNullOrEmpty(idpClaimValue) 
        ? claims.Append(new Claim(JwtClaimTypes.IdentityProvider, idpClaimValue)) 
        : claims;
}