Is 'sub' claim part of openid scope or profile scope?
Solution 1
sub is a required claim of the id_token - and the openid scope is the required minimum scope to make an OpenID Connect authentication request. You can mix openid with other scopes - but openid must be present.
That's their relationship.
IdentityServer emits standard claim types (e.g. sub) according to:
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
It's the Microsoft JWT handler that turns these standard claims into Microsoft proprietary ones. You can turn this annoying behaviour off via:
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()
Solution 2
Neither, it's just a required claim of the ID Token, whenever one is issued.
Related videos on Youtube
LP13
Updated on June 04, 2022Comments
-
LP13 almost 2 years
As per the OpenID Connect specification is
sub
claim part ofopenid
scope orprofile
scope? I could not find that informationUpdate1
I am using IdentityServer3 for authentication. Client is making the request to the server as below. In response I don't getsub
claim which is required as per the Open ID Connect specification. However response does includehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
which has same value assub
Is thenameidentifier
same assub
claim.Here is client request
public void Configuration(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = "Cookies" }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Authority = "https://localhost:44314/identity", Scope = "openid", ClientId = "LocalHostMvcClient", RedirectUri = "http://localhost:34937/", ResponseType = "id_token", SignInAsAuthenticationType = "Cookies", } }
id_token response
Update 2
based on the comments below I have updated client's startup fileprivate void TurnOffMicrosoftJWTMapping() { //The long claim names come from Microsoft’s JWT handler trying to map some claim types to .NET’s ClaimTypes class types. //We can turn off this behavior with the following line of code (in Startup). //This also means that we need to adjust the configuration for anti-CSRF protection to the new unique sub claim type: AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Subject; JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>(); }
and then call this method in client's startup
public class Startup { public void Configuration(IAppBuilder app) { TurnOffMicrosoftJWTMapping(); //configure OpenIDConnect request here } }
-
LP13 almost 8 yearsok so after searching I found this discussion
https://github.com/IdentityServer/IdentityServer3.Samples/issues/173
IdentityServer3 will mapsub
claim tonameidentifier
-
N Sharma about 6 years
sub
string - Identifier for the End-User at the Issuer. - so this can have any value ? -
Waqas Raja over 5 yearsthe signature are changed but Microsoft Proprietary ones made me mad. Following saved my life
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear()