`AddHeadersToRequest` with Claims[sub] and Claims[roles] #1939

jnormen · 2019-05-15T19:06:49Z

jnormen
May 15, 2019

Expected Behavior / New Feature

When pass this:

"AddHeadersToRequest": {
   "tenantId": "Claims[tenantId] > value",
    "caller": "Claims[sub] > value",
    "roles": "Claims[roles] > value"
}

with this token:

"sub": "8723c40a-0b57-4447-b1a5-d3c15f7ca9ea",
"typ": "Bearer",
"roles": ["Admin","User"]

Expect to have 3 header values.

Actual Behavior / Motivation for New Feature

  "tenantId": "Claims[tenantId] > value",

This works no problem. If I type typ it also works. if I type other claims from token it all works.

But when I use sub it says: Cannot find a claim for key: sub errors found in ResponderMiddleware.

If roles, the same: Cannot find a claim for key: roles errors found in ResponderMiddleware.

This they are all there in the token. And I can use most of the other claim names.

Is sub and roles somewhat reserved or ignored?

Steps to Reproduce the Problem

add:

"AddHeadersToRequest": {
  "tenantId": "Claims[tenantId] > value",
  "caller": "Claims[sub] > value"
}

"AuthenticationOptions": {
  "AuthenticationProviderKey": "myKey",
  "AllowedScopes": []
}

call API with valid bearer token.

jnormen · 2019-05-15T19:29:59Z

jnormen
May 15, 2019
Author

I see now that JwtBearer settings in ASP .Net with the Jwt Schema change sub and roles to namespaces like this: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: 8723c40a-0b57-4447-b1a5-d3c15f7ca9ea}

so my sub I pass in is transformed to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

To fix this I need to do:
var claimValues = claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).ToArray();

in the ClaimsParser if key is sub.
Or use:
"caller" : "Claims[http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier]

3 replies

raman-m Jan 21, 2024
Maintainer

@jnormen
Do you still see an issue or not? I don't!
We can discuss it more, if you don't like your hacky fix... 😉

jnormen Jan 21, 2024
Author

This is long time ago and I do no use Ocelot any more.
2024 now :) 2019 was long time ago in software world :)

raman-m Jan 21, 2024
Maintainer

I know, long time ago...
But it was your feature request, right? Or it uncovers a bug in Ocelot or in ASP.NET framework...
I guess the issue is still actual...

EasyMilos · 2019-06-27T19:31:44Z

EasyMilos
Jun 27, 2019

Or you use
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
in Startup and claims are back normal.

1 reply

raman-m Jan 21, 2024
Maintainer

Well... Could we create complete list of reserved claim names somehow?
And how to detect wrong claim name during run-time?

Navaladi2019 · 2021-05-31T10:27:20Z

Navaladi2019
May 31, 2021

if the claim name is nameid, it is not getting forwarded. On other names it is working fine

1 reply

raman-m Jan 21, 2024
Maintainer

Please, prove that fact by a link to ASP.NET official repository!

AddHeadersToRequest with Claims[sub] and Claims[roles] #1939

Uh oh!

Uh oh!

jnormen May 15, 2019

Expected Behavior / New Feature

Actual Behavior / Motivation for New Feature

Steps to Reproduce the Problem

Replies: 3 comments · 5 replies

Uh oh!

jnormen May 15, 2019 Author

Uh oh!

raman-m Jan 21, 2024 Maintainer

Uh oh!

jnormen Jan 21, 2024 Author

Uh oh!

raman-m Jan 21, 2024 Maintainer

Uh oh!

EasyMilos Jun 27, 2019

Uh oh!

raman-m Jan 21, 2024 Maintainer

Uh oh!

Uh oh!

Navaladi2019 May 31, 2021

Uh oh!

raman-m Jan 21, 2024 Maintainer

`AddHeadersToRequest` with Claims[sub] and Claims[roles] #1939

jnormen
May 15, 2019

Replies: 3 comments 5 replies

jnormen
May 15, 2019
Author

raman-m Jan 21, 2024
Maintainer

jnormen Jan 21, 2024
Author

raman-m Jan 21, 2024
Maintainer

EasyMilos
Jun 27, 2019

raman-m Jan 21, 2024
Maintainer

Navaladi2019
May 31, 2021

raman-m Jan 21, 2024
Maintainer