I then use the access token to make calls to my ASP.Net Core API, which is configured based on the quickstart. This works in as much as the access token is accepted and the User.Identity.IsAuthenticated is true. However the User.Claims enumerable doesn’t contain a sub claim and (I think) this leads to User.Identity.Name being null. The claims which are available are the following (note there are 2 aud claims, that isn’t a typo):
The http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim contains what I would expect the sub claim to contain (i.e. the auth0 user id) so it’s not a huge problem because I can “map” that claim to User.Identity.Name like so (within startup.cs):
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier
};
That being said, I’d like to know if I’ve done something wrong along the way which has meant sub isn’t available on the access token?
So, this is expected, you aren’t doing anything wrong
By setting the NameClaimType in the TokenValidationParameters:
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier
};
you are indicating that the ClaimsIdentity constructed will have the name identifier claim as NameClaimType, the claim used to extract the name of the user, instead of the default ClaimsTypes.Name (which is by default not available in the Access Token). Identity.Name is a simple shortcut to find the first claim whose type matches what’s set for the identity’s NameClaimType property.
Additional note: you are getting two aud (audience) claims because you most likely ask for a token that had both an audience indicating your own API identifier and also used the openid scope. This results in Auth0 issuing an access token that is valid both for your API and the https://{your_auth0_domain}/userinfo OpenID Connect user info endpoint (hence the two “audiences”).
Just so I understand fully, you’re saying that it’s expected that I’m not seeing a ‘sub’ claim?
Are you saying that the ‘sub’ claim does exist on the access token but is mapped to the ‘ClaimTypes.NameIdentifier’ (and then removed?) by the middleware?
Thanks for the additional clarification on the ‘aud’ claims too
Exactly.
The sub exists in the token but the middleware is mapping (renaming) sub as the claim type string to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier (the constant defined in ClaimTypes.NameIdentifier).
If you can get the token raw string you can inspect its contents at https://jwt.io.