New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a JSON claim to the JWT/Userinfo endpoint is a bit unintuitive because of different valueType constants #1480
Comments
What version of Duende.IdentityServer are you using? What version of Asp.Net Core? What version of the Microsoft.IdentityModel libraries? |
@brockallen do you think we should relax our logic here and allow either constant? I feel like this has come up in the past and don't quite remember if there is some wrinkle. |
I am using the latest version of each, this fiddle here shows how IdentityServer's constant is not capitalized: https://dotnetfiddle.net/qniKJj And this link shows how ClaimsExtensions.cs checks the valueType
From what I've searched in the repo, the constant itself could be updated without breaking anything since it's only used in 4 places, instead of changing the logic. |
IOW, why can't we do this:
I guess that would make sense. @leastprivilege any recollection around this topic and thought why this would not be ok? |
By the time we added this, the JWT handler only had very limited JSON serialization capabilities. Would be also interesting to see if they now can serialize complex objects or lists... |
Transferring to the IdentityServer repo to consider for a future release. |
Things look better now. We have seen the same issue on our side (HelseID) but are investigating if we can remove the workarounds. I can update here if things look good. |
When searching on how to add a JSON claim to a JWT, you'll come across answers like this one, which use System.IdentityModel.Tokens.Jwt.JsonClaimValueTypes.Json to specify the valueType, and that works with JwtSecurityTokenHandler.WriteToken.
But since ClaimsExtensions.cs checks for claim.ValueType == IdentityServerConstants.ClaimValueTypes.Json and IdentityServerConstants.ClaimValueTypes.Json is "json" while System.IdentityModel.Tokens.Jwt.JsonClaimValueTypes.Json is "JSON", that means that adding a claim like this:
context.IssuedClaims.Add(new Claim("json", "{\"sample\":{\"sample\":\"value\"}}", System.IdentityModel.Tokens.Jwt.JsonClaimValueTypes.Json))
will make the claim an escaped JSON in the JWT instead of actual JSON.
The text was updated successfully, but these errors were encountered: