An error occurred during login: sub claim is missing from userinfo endpoint

msavard · March 9, 2021, 3:35pm

IdentityModel.OidcClient version: 4.0.0-preview.7 and lower same problem too
WinForm .Net 5.0

In Auth0ClientBase.cs, when I call
var result = await OidcClient.LoginAsync(loginRequest, cancellationToken);
I always receive the error: “An error occurred during login: sub claim is missing from userinfo endpoint”

----- OidcClient -------

-	OidcClient	{IdentityModel.OidcClient.OidcClient}	IdentityModel.OidcClient.OidcClient
-	Options	{IdentityModel.OidcClient.OidcClientOptions}	IdentityModel.OidcClient.OidcClientOptions
	Authority	“https://************.us.auth0.com”	string
	BackchannelHandler	null	System.Net.Http.HttpMessageHandler
+	BackchannelTimeout	{00:00:30}	System.TimeSpan
+	Browser	{Auth0.OidcClient.WebViewBrowser}	IdentityModel.OidcClient.Browser.IBrowser {Auth0.OidcClient.WebViewBrowser}
+	BrowserTimeout	{00:00:00}	System.TimeSpan
+	ClientAssertion	{IdentityModel.Client.ClientAssertion}	IdentityModel.Client.ClientAssertion
	ClientId	“************”	string
	ClientSecret	null	string
+	ClockSkew	{00:05:00}	System.TimeSpan
	FilterClaims	true	bool
-	FilteredClaims	Count = 10	System.Collections.Generic.ICollection {System.Collections.Generic.HashSet}
	[0]	“iss”	string
	[1]	“exp”	string
	[2]	“nbf”	string
	[3]	“aud”	string
	[4]	“nonce”	string
	[5]	“iat”	string
	[6]	“auth_time”	string
	[7]	“c_hash”	string
	[8]	“at_hash”	string
	[9]	“s_hash”	string
+	Raw View
	IdentityTokenValidator	null	IdentityModel.OidcClient.IIdentityTokenValidator
	LoadProfile	true	bool
+	LoggerFactory	{Microsoft.Extensions.Logging.LoggerFactory}	Microsoft.Extensions.Logging.ILoggerFactory {Microsoft.Extensions.Logging.LoggerFactory}
-	Policy	{IdentityModel.OidcClient.Policy}	IdentityModel.OidcClient.Policy
+	Discovery	{IdentityModel.Client.DiscoveryPolicy}	IdentityModel.Client.DiscoveryPolicy
	RequireAccessTokenHash	false	bool
	RequireIdentityTokenOnRefreshTokenResponse	false	bool
	RequireIdentityTokenSignature	true	bool
-	ValidSignatureAlgorithms	Count = 7	System.Collections.Generic.ICollection {System.Collections.Generic.HashSet}
	[0]	“RS256”	string
	[1]	“RS384”	string
	[2]	“RS512”	string
	[3]	“PS256”	string
	[4]	“PS384”	string
	[5]	“PS512”	string
	[6]	“ES256”	string
+	Raw View
	ValidateTokenIssuerName	true	bool
	PostLogoutRedirectUri	“https://************.us.auth0.com/mobile”	string
	ProviderInformation	null	IdentityModel.OidcClient.ProviderInformation
	RedirectUri	“https://************.us.auth0.com/mobile”	string
	RefreshDiscoveryDocumentForLogin	true	bool
	RefreshDiscoveryOnSignatureFailure	false	bool
	RefreshTokenInnerHttpHandler	null	System.Net.Http.HttpMessageHandler
+	Resource	Count = 0	System.Collections.Generic.ICollection {System.Collections.Generic.HashSet}
	Scope	“openid profile email”	string
	TokenClientCredentialStyle	PostBody	IdentityModel.Client.ClientCredentialStyle
-	_authorizeClient	{IdentityModel.OidcClient.AuthorizeClient}	IdentityModel.OidcClient.AuthorizeClient
+	_crypto	{IdentityModel.OidcClient.CryptoHelper}	IdentityModel.OidcClient.CryptoHelper
+	_logger	{Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.AuthorizeClient>}	Microsoft.Extensions.Logging.ILogger<IdentityModel.OidcClient.AuthorizeClient> {Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.AuthorizeClient>}
+	_options	{IdentityModel.OidcClient.OidcClientOptions}	IdentityModel.OidcClient.OidcClientOptions
-	_logger	{Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.OidcClient>}	Microsoft.Extensions.Logging.ILogger {Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.OidcClient>}
+	_logger	{Microsoft.Extensions.Logging.Logger}	Microsoft.Extensions.Logging.ILogger {Microsoft.Extensions.Logging.Logger}
-	_processor	{IdentityModel.OidcClient.ResponseProcessor}	IdentityModel.OidcClient.ResponseProcessor
+	_crypto	{IdentityModel.OidcClient.CryptoHelper}	IdentityModel.OidcClient.CryptoHelper
+	_logger	{Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.ResponseProcessor>}	Microsoft.Extensions.Logging.ILogger<IdentityModel.OidcClient.ResponseProcessor> {Microsoft.Extensions.Logging.Logger<IdentityModel.OidcClient.ResponseProcessor>}
-	_options	{IdentityModel.OidcClient.OidcClientOptions}	IdentityModel.OidcClient.OidcClientOptions
	Authority	“https://************.us.auth0.com”	string
	BackchannelHandler	null	System.Net.Http.HttpMessageHandler
+	BackchannelTimeout	{00:00:30}	System.TimeSpan
+	Browser	{Auth0.OidcClient.WebViewBrowser}	IdentityModel.OidcClient.Browser.IBrowser {Auth0.OidcClient.WebViewBrowser}
+	BrowserTimeout	{00:00:00}	System.TimeSpan
+	ClientAssertion	{IdentityModel.Client.ClientAssertion}	IdentityModel.Client.ClientAssertion
	ClientId	“************”	string
	ClientSecret	null	string
+	ClockSkew	{00:05:00}	System.TimeSpan
	FilterClaims	true	bool
+	FilteredClaims	Count = 10	System.Collections.Generic.ICollection {System.Collections.Generic.HashSet}
	IdentityTokenValidator	null	IdentityModel.OidcClient.IIdentityTokenValidator
	LoadProfile	true	bool
+	LoggerFactory	{Microsoft.Extensions.Logging.LoggerFactory}	Microsoft.Extensions.Logging.ILoggerFactory {Microsoft.Extensions.Logging.LoggerFactory}
+	Policy	{IdentityModel.OidcClient.Policy}	IdentityModel.OidcClient.Policy
	PostLogoutRedirectUri	“https://************.us.auth0.com/mobile”	string
	ProviderInformation	null	IdentityModel.OidcClient.ProviderInformation
	RedirectUri	“https://************.us.auth0.com/mobile”	string
	RefreshDiscoveryDocumentForLogin	true	bool
	RefreshDiscoveryOnSignatureFailure	false	bool
	RefreshTokenInnerHttpHandler	null	System.Net.Http.HttpMessageHandler
+	Resource	Count = 0	System.Collections.Generic.ICollection {System.Collections.Generic.HashSet}
	Scope	“openid profile email”	string
	TokenClientCredentialStyle	PostBody	IdentityModel.Client.ClientCredentialStyle
+	_refreshKeysAsync	{Method = {System.Threading.Tasks.Task EnsureProviderInformationAsync(System.Threading.CancellationToken)}}	System.Func<System.Threading.CancellationToken, System.Threading.Tasks.Task>
	_useDiscovery	true	bool

msavard · March 9, 2021, 8:46pm

I found the mistake. I have a custom rules and this Rules change my claims

stephanie.chamblee · March 9, 2021, 8:48pm

Hi @msavard,

I’m glad you were able to find the rule that was causing the issue!

msavard · March 9, 2021, 9:04pm

Yes, but for find the mistake, a convert completly in .Net5

auth0-WinFormsWPF-oidc-samples-master with replace webbrowser in DLL with the real WebBrowser in System.Windows.Forms

And I find your Nuget source code in your Git repository for:
IdentityTokenValidator
OidcClient

Ok for me, but not really easy for beginner

system · March 24, 2021, 9:05pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.