Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Got string ClaimType for JSON ClaimType #63

Open
taufikdev88 opened this issue Nov 23, 2024 · 10 comments
Open

Got string ClaimType for JSON ClaimType #63

taufikdev88 opened this issue Nov 23, 2024 · 10 comments
Assignees
Labels
area/identity-model Issues related to Identity Model state/needs-triage Needs triaging by the maintainers

Comments

@taufikdev88
Copy link

Which version of Duende IdentityServer are you using?

Duende.IdentityModel version 7.0.8

Which version of .NET are you using?

9.0

Describe the bug

A JSON ClaimType identified as string ClaimType

To Reproduce

  1. Request Access Token from Keycloak with claim with type "resource_access" or "realm_access"

Expected behavior

"resource_access" or "realm_access" claim with "JSON" ClaimType

Log output/exception with stacktrace

![Image](https://github.com/user-attachments/assets/77587216-c5b2-48d5-abd4-2e7512eda1d9)

Additional context

@taufikdev88
Copy link
Author

taufikdev88 commented Nov 23, 2024

{
  "exp" : 1732346131,
  "iat" : 1732342531,
  "auth_time" : 1732342530,
  "jti" : "314b625a-d51f-4a5d-94fe-e3fa86c40911",
  "iss" : "https://identity.harapan-jaya.com/realms/dev",
  "aud" : [ "images", "hjex-microservices", "account", "point" ],
  "sub" : "0f08f84b-9423-4fc2-bd05-4a28bed56b25",
  "typ" : "Bearer",
  "azp" : "hjex-retail",
  "sid" : "423668ee-bfc0-4ec3-aa2a-b50ed8d3054b",
  "acr" : "1",
  "resource_access" : {
    "images" : {
      "roles" : [ "user" ]
    },
    "hjex-microservices" : {
      "roles" : [ "Retail" ]
    },
    "account" : {
      "roles" : [ "manage-account", "manage-account-links", "delete-account", "view-profile" ]
    },
    "point" : {
      "roles" : [ "view-point" ]
    }
  },
  "scope" : "openid offline_access email profile",
  "email_verified" : true,
  "name" : "taufik Retail",
  "preferred_username" : "taufikdev88",
  "given_name" : "taufik",
  "locale" : "id",
  "family_name" : "Retail",
  "email" : "[email protected]",
  "client_id" : "hjex-retail",
  "username" : "taufikdev88",
  "token_type" : "Bearer",
  "active" : true
}

@taufikdev88
Copy link
Author

Got claim type http://www.w3.org/2001/XMLSchema#string for "resource_access"

@taufikdev88
Copy link
Author

I have created a pull request to foss project and IdentityModel project, please check it

Pull Request on foss
Pull Request on IdentityModel

@AndersAbel AndersAbel transferred this issue from DuendeSoftware/Support Nov 28, 2024
@AndersAbel
Copy link
Member

AndersAbel commented Nov 28, 2024

Why is the ClaimValueType important? How is it used? Why do you want to set it to "JSON"? That's not a constant value in the .NET ClaimValueTypes.

@taufikdev88
Copy link
Author

I see how Microsoft create claim with "JSON" ClaimValueTypes from Microsoft.IdentityModel.Tokens.Jwt package
JwtPayload.cs
and from debugged code
debugging result

I found that microsoft created 2 files with same content for JsonClaimValueTypes
System.IdentityModel.Tokens.Jwt
Microsoft.IdentityModel.JsonWebTokens

How do you prefer? How about create JsonClaimValueTypes inside the foss project?

I found interesting open-source project out there are trying to get claims from ClaimPrincipal with ClaimValueTypes specific to "JSON", where we can see in this project
AuthService

in some case developer need to combine multiple authentication scheme like I did, I use very great project from duende "IdentityModel.AspNetCore.OAuth2Introspection" which is now the project rebranded to Duende.IdentityModel

I think when all projects use standard definition for ClaimValueTypes, it will be great

@damianh damianh added area/identity-model Issues related to Identity Model state/needs-triage Needs triaging by the maintainers labels Dec 2, 2024
@AndersAbel
Copy link
Member

Yes, the System.IdentityModel.Tokens.Jwt package introduced the "JSON" ClaimValueType. They are moving that functionality to the Microsoft.IdentityModel.JsonWebTokens namespace, so even if there are two files they are essentially the same.

Using the "JSON" ClaimValueType is an extension. We are considering if we should do it too, but we would need to know why it is important to you. Do you have any code/functionality that relies on that value and treats the claim values differently if they are marked as "JSON" vs ClaimValueTypes.String?

@taufikdev88
Copy link
Author

I have to ensure the claim type is JSON Image

@AndersAbel
Copy link
Member

How is that code called? Do you convert the claim value string to something else based on the ClaimValueType?

@taufikdev88
Copy link
Author

Image

@AndersAbel
Copy link
Member

I still don't understand how you use the ClaimValueType. Why does it matter to you? What functionality is dependent on the value being set to "JSON"?

@Erwinvandervalk Erwinvandervalk added area/access-token-management Issues related to Access Token Management and removed area/access-token-management Issues related to Access Token Management labels Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/identity-model Issues related to Identity Model state/needs-triage Needs triaging by the maintainers
Projects
None yet
Development

No branches or pull requests

4 participants