Unable to Retrieve Claims in .NET Core 2.0

Question

I am using an OpenId Connect Authentication Server, specifically Identity Server 4 (version 1.5.2) on .NET Core 1.1. I have this running with ASP.NET

Answer 1

Please see below, I ran into the same issue as you. I'm sure there is a configuration issue we are missing, but for the time being I parsed the values coming back from the UserInfoEndpoint in the OnUserInformationReceived event handler.

    public override void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(sharedOptions =>
        {
            sharedOptions.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
            .AddCookie()
            .AddOpenIdConnect(o =>
            {
                o.ClientId = "sss";
                o.ClientSecret = "sss";
                o.RequireHttpsMetadata = false;
                o.Authority = "http://localhost:60000/";
                o.MetadataAddress = "http://localhost:60000/IdSrv/.well-known/openid-configuration";
                o.ResponseType = OpenIdConnectResponseType.IdTokenToken;
                o.CallbackPath = new PathString("/CGI/Home/Index");
                o.SignedOutCallbackPath = new PathString("/CGI/Account/LoggedOut");
                o.Scope.Add("openid");
                o.Scope.Add("roles");
                o.SaveTokens = true;
                o.GetClaimsFromUserInfoEndpoint = true;
                o.Events = new OpenIdConnectEvents()
                {
                    OnUserInformationReceived = (context) =>
                    {
                        ClaimsIdentity claimsId = context.Principal.Identity as ClaimsIdentity;

                        var roles = context.User.Children().FirstOrDefault(j => j.Path == JwtClaimTypes.Role).Values().ToList();
                        claimsId.AddClaims(roles.Select(r => new Claim(JwtClaimTypes.Role, r.Value<String>())));

                        return Task.FromResult(0);
                    }
                };
                o.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = JwtClaimTypes.Name,
                    RoleClaimType = JwtClaimTypes.Role,
                };
            });
    }

Edit:

I found that there is an extension method for ClaimsAction property called MapUniqueJsonKey, this seems to work for custom single valued keys but bombs on array types like roles... getting closer

o.ClaimActions.MapUniqueJsonKey("UserType", "UserType");

Answer 2

ASP.NET Core 2 introduced a ClaimActions property to the OpenIdConnectionOptions. The default collection of ClaimActions will remove the claims you are looking for. You can get the claims back by clearing ClaimActions on your options object:

options.ClaimActions.Clear();

See also: https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/