Using both JWT and cookie authentication results in missing/different claims

I have a .net core 3.0 API that should be able to authenticate users from both cookies or JWT bearer token

So i followed the quickstart guide
The login via browser and cookies works properly

By default it wasn’t authenticating via the header token in postman so i did the following to have 2 authorization schemes:

        //AddOpenIdConnect omitted for brevity
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        })
        .AddCookie()
        .AddJwtBearer(options =>
        {
            options.Authority = Configuration["Auth0:Authority"];
            options.Audience = Configuration["Auth0:Audience"];
            options.ClaimsIssuer = "Auth0";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            };
        });

        services.AddAuthorization(options =>
        {
            options.DefaultPolicy = new AuthorizationPolicyBuilder(new string[]
                {
                    JwtBearerDefaults.AuthenticationScheme,
                    CookieAuthenticationDefaults.AuthenticationScheme
                })
                .RequireAuthenticatedUser()
                .Build();
        });

I get the JWT token from Postman by using this tutorial
Now i can login with both options

My problem is that the same user results in different claims depending on the authorization type

JWT auth gives me the following claims:

    {
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "iss",
		"Value": "{{Issuer}}",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {
          "http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
		},
		"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"Value": "auth0|blablabla",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "aud",
		"Value": "{{Issuer}}api/v2/",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "aud",
		"Value": "{{Issuer}}userinfo",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "iat",
		"Value": "various numbers",
		"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "exp",
		"Value": "various numbers",
		"ValueType": "http://www.w3.org/2001/XMLSchema#integer"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "azp",
		"Value": "blablabla",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{Issuer}}",
		"OriginalIssuer": "{{Issuer}}",
		"Properties": {},
		"Type": "scope",
		"Value": "openid profile email",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	}

Cookie auth gives me the following claims:

    {
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "nickname",
		"Value": "MyNick",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "name",
		"Value": "MyNick@mymail.it",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "picture",
		"Value": "MyProfilePicURL",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {},
		"Type": "updated_at",
		"Value": "\"2020-07-06T09:16:30.744Z\"",
		"ValueType": "System.DateTime"
	},
	{
		"Issuer": "{{issuer}}",
		"OriginalIssuer": "{{issuer}}",
		"Properties": {
			"http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/ShortTypeName": "sub"
		},
		"Type": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
		"Value": "auth0|somecode",
		"ValueType": "http://www.w3.org/2001/XMLSchema#string"
	}

My question is: how can i get the claims i get in Cookie auth while using Jwt bearer header?

Hi @ldiane,

The first snippet you posted looks like an access token, the second looks like the claims returned from the userinfo endpoint.

1 Like

Hi @dan.woda,

Thank you, I am now starting to understand better

  • How come i already have those information by default while using cookies+browser authentication?
  • Is AddOpenIdConnect handling it for me?
  • I there a way to gather that information without creating a custom httprequest for userinfo?

Thank you in advance

Heres my AddOpenIdConnect call:

        .AddOpenIdConnect("Auth0", options =>
        {
            options.Authority = $"https://{Configuration["Auth0:Domain"]}";
            options.ClientId = Configuration["Auth0:ClientId"];
            options.ClientSecret = Configuration["Auth0:ClientSecret"];
            options.ResponseType = "code";
            options.CallbackPath = new PathString("/callback");
            options.ClaimsIssuer = "Auth0";
            options.SaveTokens = true;

            options.TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name"
            };

            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProviderForSignOut = (context) =>
                {
                    var logoutUri = $"https://{Configuration["Auth0:Domain"]}/v2/logout?client_id={Configuration["Auth0:ClientId"]}";

                    var postLogoutUri = context.Properties.RedirectUri;
                    if (!string.IsNullOrEmpty(postLogoutUri))
                    {
                        if (postLogoutUri.StartsWith("/"))
                        {
                            var request = context.Request;
                            postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
                        }
                        logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
                    }

                    context.Response.Redirect(logoutUri);
                    context.HandleResponse();

                    return Task.CompletedTask;
                }
            };
        })

Can you take a look at our quickstart that shows how to get the user profile and see if that clears things up. (.net is not my expertise, I’m sorry.)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.