You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When IProfileService.GetProfileDataAsync executes for ProfileDataCallers.UserInfoEndpoint, the ProfileDataRequestContext.SubjectClaimsPrincipal.Claims are a 1:1 translation of the access token claims. Specifically, the ClaimsPrincipal contains an act claim with a JSON string value.
Expected behavior
I would expect that the actor claim would be applied to ClaimsPrincipal.Actor in this case. I would also expect that this would operate for nested actor claims in the access token, applying to nested ClaimsPrincipal.Actors.
Additional context
I understand the nuances with converting the OAuth/OIDC specs to .NET auth operation models, but this seems an appropriate behavior.
I also understand the ClaimsPrincipal is created from the access token in IdentityModel's Principal.Create. I'm uncertain as to if this would be addressed in IdentityModel or IdentityServer.
The text was updated successfully, but these errors were encountered:
Thanks for opening this issue! We'll consider this for a future release. For now, are you able to accomplish what you need with a customized profile service?
Yep, it is just slightly inconsistent and requires a slightly contrived setup.
When issuing claims from the profile service the ClaimsIdentity could have an Actor from the default scheme or an act claim with a JSON claim value type.
Which version of Duende IdentityServer are you using?
6.2.3
Which version of .NET are you using?
7.0.5
Describe the bug
The actor ,
act
, claim on an access token is not converted toClaimsPrincipal.Actor
inIProfileService.GetProfileDataAsync
.To Reproduce
Issue an access token with an actor claim in
IProfileService.GetProfileDataAsync
forProfileDataCallers.ClaimsProviderAccessToken
:When
IProfileService.GetProfileDataAsync
executes forProfileDataCallers.UserInfoEndpoint
, theProfileDataRequestContext.Subject
ClaimsPrincipal.Claims
are a 1:1 translation of the access token claims. Specifically, theClaimsPrincipal
contains anact
claim with a JSON string value.Expected behavior
I would expect that the actor claim would be applied to
ClaimsPrincipal.Actor
in this case. I would also expect that this would operate for nested actor claims in the access token, applying to nestedClaimsPrincipal.Actor
s.Additional context
I understand the nuances with converting the OAuth/OIDC specs to .NET auth operation models, but this seems an appropriate behavior.
I also understand the
ClaimsPrincipal
is created from the access token in IdentityModel'sPrincipal.Create
. I'm uncertain as to if this would be addressed in IdentityModel or IdentityServer.The text was updated successfully, but these errors were encountered: