Asp.Net Core jwt token is transformed after authentication

Question

I have Cognito id token with email claim.

  ..........
  "iat": 164456734,
  "jti": "81ac2634-e241-444f-88cf-eabf454644",
  "email": "david@mail.com"
}

However, after asp net core jwt middleware authentication email claim is transformed from email type to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - ClaimTypes.Email in C#.

But then I read the token manually:

var token = new JwtSecurityTokenHandler().ReadJwtToken(jwtToken);
var claimsIdentity = new ClaimsIdentity(token.Claims);
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity)

Claim type is not transformed and remains email.

Why in asp net core authentication claim is transformed to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress?

Can I create claimsPrincipal manually having this email claim transformation without manually modifying Claims list?

Tore Nestenius · Answer 1 · 2023-06-02T11:40:48.707

So, Microsoft and OpenIDConnect have different opinions for what the email claim name should be and to disable this remapping you can do either:

public void ConfigureServices(IServiceCollection services)
{
    // By default, Microsoft has some legacy claim mapping that converts
    // standard JWT claims into proprietary ones. This removes those mappings.
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
    JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();



    // Or set this flag to false
    .AddJwtBearer(opt =>
    {
        ...
        opt.MapInboundClaims = false;
    });

To complement this answer, I wrote a blog post that goes into more detail about this topic: Debugging JwtBearer Claim Problems in ASP.NET Core

Thanks for this post, "opt.MapInboundClaims = false;" helped me :-) — Rico Herlt, Jul 27 '22 at 14:56

score 1 · Accepted Answer · answered Jan 19 '22 at 07:21

1

It has in fact been understood as ClaimTypes.Email, however the string returned by this property is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (source).

The token is not transformed, unless specifically done so, rather parsed and understood as ClaimTypes.Email with the actual token not modified.

answered Jan 19 '22 at 07:21

Jesse Johnson

1,638
15
25

Is there a way to parse the token manually the same way as it is done by the middleware? – Deivydas Voroneckis Jan 19 '22 at 07:36
There is a default claim type mapping that you can clear/modify: https://stackoverflow.com/a/50523668/1658906 (see Startup.cs). – juunas Jan 19 '22 at 07:54

Asp.Net Core jwt token is transformed after authentication

2 Answers2