Is 'sub' claim part of openid scope or profile scope?

c# openid-connect identityserver3

10,889

Solution 1

sub is a required claim of the id_token - and the openid scope is the required minimum scope to make an OpenID Connect authentication request. You can mix openid with other scopes - but openid must be present.

That's their relationship.

IdentityServer emits standard claim types (e.g. sub) according to:

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

It's the Microsoft JWT handler that turns these standard claims into Microsoft proprietary ones. You can turn this annoying behaviour off via:

JwtSecurityTokenHandler.InboundClaimTypeMap.Clear()

Solution 2

Neither, it's just a required claim of the ID Token, whenever one is issued.

10,889

LP13

Updated on June 04, 2022

Comments

LP13 almost 2 years

As per the OpenID Connect specification is sub claim part of openid scope or profile scope? I could not find that information

Update1
I am using IdentityServer3 for authentication. Client is making the request to the server as below. In response I don't get sub claim which is required as per the Open ID Connect specification. However response does include http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier which has same value as sub Is the nameidentifier same as sub claim.

Here is client request

    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = "https://localhost:44314/identity",
            Scope = "openid",
            ClientId = "LocalHostMvcClient",
            RedirectUri = "http://localhost:34937/",
            ResponseType = "id_token",
            SignInAsAuthenticationType = "Cookies",
        }
   }

id_token response

Update 2
based on the comments below I have updated client's startup file

    private void TurnOffMicrosoftJWTMapping()
    {
        //The long claim names come from Microsoft’s JWT handler trying to map some claim types to .NET’s ClaimTypes class types. 
        //We can turn off this behavior with the following line of code (in Startup).
        //This also means that we need to adjust the configuration for anti-CSRF protection to the new unique sub claim type:
        AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Subject;
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
    }

and then call this method in client's startup

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        TurnOffMicrosoftJWTMapping();

        //configure OpenIDConnect request here
    }
}

LP13 almost 8 years

ok so after searching I found this discussion https://github.com/IdentityServer/IdentityServer3.Samples/is‌sues/173 IdentityServer3 will map sub claim to nameidentifier
N Sharma about 6 years

sub string - Identifier for the End-User at the Issuer. - so this can have any value ?
Waqas Raja over 5 years

the signature are changed but Microsoft Proprietary ones made me mad. Following saved my life System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.Defa‌ultInboundClaimTypeM‌ap.Clear()