Using both JWT and cookie authentication results in missing/different claims

Help
, , ,
1

I have a .net core 3.0 API that should be able to authenticate users from both cookies or JWT bearer token

So i followed the quickstart guide
The login via browser and cookies works properly

By default it wasn’t authenticating via the header token in postman so i did the following to have 2 authorization schemes:

        //AddOpenIdConnect omitted for brevity
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddJwtBearer(options =>
        {
            options.Authority = Configuration["Auth0:Authority"];
            options.Audience = Configuration["Auth0:Audience"];
            options.ClaimsIssuer = "Auth0";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            };
        });

        services.AddAuthorization(options =>
        {
            options.DefaultPolicy = new AuthorizationPolicyBuilder(new string[]
                {
                    JwtBearerDefaults.AuthenticationScheme,
                    CookieAuthenticationDefaults.AuthenticationScheme
                })
                .RequireAuthenticatedUser()
                .Build();
        });

I get the JWT token from Postman by using this tutorial
Now i can login with both options

My problem is that the same user results in different claims depending on the authorization type

JWT auth gives me the following claims:

    {
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "iss",
		"Value": "{{Issuer}}",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {
          "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
		},
		"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"Value": "auth0|blablabla",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "aud",
		"Value": "{{Issuer}}api/v2/",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "aud",
		"Value": "{{Issuer}}userinfo",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "iat",
		"Value": "various numbers",
		"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "exp",
		"Value": "various numbers",
		"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "azp",
		"Value": "blablabla",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "scope",
		"Value": "openid profile email",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	}

Cookie auth gives me the following claims:

    {
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "nickname",
		"Value": "MyNick",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "name",
		"Value": "MyNick@mymail.it",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "picture",
		"Value": "MyProfilePicURL",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "updated_at",
		"Value": "\"2020-07-06T09:16:30.744Z\"",
		"ValueType": "System.DateTime"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {
			"http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
		},
		"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"Value": "auth0|somecode",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	}

My question is: how can i get the claims i get in Cookie auth while using Jwt bearer header?

3

Hi @ldiane,

The first snippet you posted looks like an access token, the second looks like the claims returned from the userinfo endpoint.

https://auth0.com/docs/api/authentication#get-user-info

1 Like
4

Hi @dan.woda,

Thank you, I am now starting to understand better

  • How come i already have those information by default while using cookies+browser authentication?
  • Is AddOpenIdConnect handling it for me?
  • I there a way to gather that information without creating a custom httprequest for userinfo?

Thank you in advance

Heres my AddOpenIdConnect call:

        .AddOpenIdConnect("Auth0", options =>
        {
            options.Authority = $"https://{Configuration["Auth0:Domain"]}";
            options.ClientId = Configuration["Auth0:ClientId"];
            options.ClientSecret = Configuration["Auth0:ClientSecret"];
            options.ResponseType = "code";
            options.CallbackPath = new PathString("/callback");
            options.ClaimsIssuer = "Auth0";
            options.SaveTokens = true;

            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            };

            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProviderForSignOut = (context) =>
                {
                    var logoutUri = $"https://{Configuration["Auth0:Domain"]}/v2/logout?client_id={Configuration["Auth0:ClientId"]}";

                    var postLogoutUri = context.Properties.RedirectUri;
                    if (!string.IsNullOrEmpty(postLogoutUri))
                    {
                        if (postLogoutUri.StartsWith("/"))
                        {
                            var request = context.Request;
                            postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                        }
                        logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
                    }

                    context.Response.Redirect(logoutUri);
                    context.HandleResponse();

                    return Task.CompletedTask;
                }
            };
        })
5

Can you take a look at our quickstart that shows how to get the user profile and see if that clears things up. (.net is not my expertise, I’m sorry.)

https://auth0.com/docs/quickstart/webapp/aspnet-core-3/02-user-profile#get-the-profile

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.