I have a .net core 3.0 API that should be able to authenticate users from both cookies or JWT bearer token
So i followed the quickstart guide
The login via browser and cookies works properly
By default it wasn’t authenticating via the header token in postman so i did the following to have 2 authorization schemes:
//AddOpenIdConnect omitted for brevity
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie()
.AddJwtBearer(options =>
{
options.Authority = Configuration["Auth0:Authority"];
options.Audience = Configuration["Auth0:Audience"];
options.ClaimsIssuer = "Auth0";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name"
};
});
services.AddAuthorization(options =>
{
options.DefaultPolicy = new AuthorizationPolicyBuilder(new string[]
{
JwtBearerDefaults.AuthenticationScheme,
CookieAuthenticationDefaults.AuthenticationScheme
})
.RequireAuthenticatedUser()
.Build();
});
I get the JWT token from Postman by using this tutorial
Now i can login with both options
My problem is that the same user results in different claims depending on the authorization type
JWT auth gives me the following claims:
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "iss",
"Value": "{{Issuer}}",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
},
"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"Value": "auth0|blablabla",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "aud",
"Value": "{{Issuer}}api/v2/",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "aud",
"Value": "{{Issuer}}userinfo",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "iat",
"Value": "various numbers",
"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "exp",
"Value": "various numbers",
"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "azp",
"Value": "blablabla",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{Issuer}}",
"OriginalIssuer": "{{Issuer}}",
"Properties": {},
"Type": "scope",
"Value": "openid profile email",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
}
Cookie auth gives me the following claims:
{
"Issuer": "{{issuer}}",
"OriginalIssuer": "{{issuer}}",
"Properties": {},
"Type": "nickname",
"Value": "MyNick",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{issuer}}",
"OriginalIssuer": "{{issuer}}",
"Properties": {},
"Type": "name",
"Value": "MyNick@mymail.it",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{issuer}}",
"OriginalIssuer": "{{issuer}}",
"Properties": {},
"Type": "picture",
"Value": "MyProfilePicURL",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"Issuer": "{{issuer}}",
"OriginalIssuer": "{{issuer}}",
"Properties": {},
"Type": "updated_at",
"Value": "\"2020-07-06T09:16:30.744Z\"",
"ValueType": "System.DateTime"
},
{
"Issuer": "{{issuer}}",
"OriginalIssuer": "{{issuer}}",
"Properties": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
},
"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"Value": "auth0|somecode",
"ValueType": "http://www.w3.org/2001/XMLSchema#string"
}
My question is: how can i get the claims i get in Cookie auth while using Jwt bearer header?