No Name Claim & Duplicate Email Claims

[ConnorJohnMacaskill]

I have a very simple Azure web app configured to use Azure EasyAuth and have implemented this library with success. But I am having issues accessing certain fields in the HttpContext.User.Identity object.

The claims are set as expected, but the Name field is blank despite the "X-MS-CLIENT-PRINCIPAL" header containing a name claim. Manually decoding the header reveals it includes the following two lines:

"name_typ":"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress"
"role_typ":"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role

Which, due to this section of code in StandardPrincipleClaimMapper.cs, results in the name claim being retype as an emailaddress claim.

else if (claimsModel.Type.Equals(KnownEasyAuthClaimAliases.Name, StringComparison.OrdinalIgnoreCase))
{
    claimType = string.IsNullOrEmpty(headerPrincipalModel.NameClaimType) ? ClaimTypes.Name : headerPrincipalModel.NameClaimType;
}

This results in the identity being created with two emailaddress claims with different values, one containing my name and one containing my actual email address. The values of RoleClaimType and NameClaimType are also never passed as the "nameType" and "roleType" parameters when constructing the ClaimsIdentity object, resulting in the blank Name field.

Is there something I have configured incorrectly or is this intended behaviour? I can't seem to find anything relating to this online.

Thanks!

[dasiths]

Thank you reporting this.

Can you provide a bit more detail about the type of auth provider being used and the dump of the headers (with sensitive info removed)?

From what I understood from your question, the claimType of the name being set to name_typ defined in the headers is intended behaviour of the mapper.

In the meantime you can use the IClaimMapper or IHeaderDictionaryTransformer to map the claims as you wish. More examples here.

[ConnorJohnMacaskill]

Certainly, this is setup using the "Microsoft" identity provider through Azure's Entra ID. The relevant headers are as follows (I have decoded the base64 and redacted where appropriate):

    "X-MS-CLIENT-PRINCIPAL-NAME": [
        "[email protected]"
    ],
    "X-MS-CLIENT-PRINCIPAL-ID": [
        "(guid)"
    ],
    "X-MS-CLIENT-PRINCIPAL-IDP": [
        "aad"
    ],
    "X-MS-CLIENT-PRINCIPAL": [
        "{"auth_typ":"aad","claims":[{"typ":"aud","val":"(guid)"},{"typ":"iss","val":"https:\/\/login.microsoftonline.com\/deaab16b-1c04-4cb8-af7d-b2729d0fc798\/v2.0"},{"typ":"iat","val":"1727285982"},{"typ":"nbf","val":"1727285982"},{"typ":"exp","val":"1727289882"},{"typ":"aio","val":"AWQAm\/8YAAAAt09OFmRb\/7ydXrc4w9D2cFL85zyeHFy\/UarRSadmRQbfD2ughbD4Xz2icQ3n7ltAEvgV\/\/cnYcw920YUDBz2Xn4RcnF9pbx5gp5sEBoOf1Mvj6lGIcUnk6eb14qwffyy"},{"typ":"c_hash","val":"QxxTWGmRCDcTdivKwo7LVg"},{"typ":"cc","val":"CgEAEhBpbW1peHByb3RlY3QuY29tGhIKEOtSd\/LBv5JHikGT5ox1Uf4iEgoQJV\/8Xjq6Tkm6z1bQFlRWADICTkE4AA=="},{"typ":"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress","val":"[email protected]"},{"typ":"name","val":"Connor Macaskill"},{"typ":"nonce","val":"7d00a305fg3b46e9afdc59e717a38fff_20240925174732"},{"typ":"http:\/\/schemas.microsoft.com\/identity\/claims\/objectidentifier","val":"(guid)"},{"typ":"preferred_username","val":"[email protected]"},{"typ":"rh","val":"0.AUYAa8Hk3gQcuEydwsbJynQ_HmIFlhuBlvxBFssGivjxbOpjxAOI."},{"typ":"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/nameidentifier","val":"DQe-mnFW_ahXdkrhRIAeAp57DHh2fAXWzlAh88-1uLA"},{"typ":"http:\/\/schemas.microsoft.com\/identity\/claims\/tenantid","val":"deaab16b-1c04-4cb8-af7d-b2729d0fc798"},{"typ":"uti","val":"JV_8Xjq6Tkm6z1bQFlRWAA"},{"typ":"ver","val":"2.0"}],"name_typ":"http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress","role_typ":"http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/role"}"
    ],
    "X-MS-TOKEN-AAD-ACCESS-TOKEN": [
        "{"typ":"JWT","nonce":"Y59U1DA77v6v1TNoJjDNWNKTR3HokxLLYGT81omhJj4","alg":"RS256","x5t":"Mc7l3Iz93g7uwgNeEmmw_WYGPko","kid":"Mc7l3Iz93g7uwgNeEmmw_WYGPko"}{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/deaab16b-1c04-4cb8-af7d-b2729d0fc798/","iat":1727285983,"nbf":1727285983,"exp":1727289899,"acct":0,"acr":"1","aio":"AVQAq/8YAAAATzIxS6SlW6BbSq2f3IYwOYaHQR1cL+gdq+SRLa0l6tNDoRGFUqxdnQ3/NM4xdXwycHd23s9kZkCHINl9hThFLdU8uNhaj0sXn3ZecXArv6g=","amr":["pwd","mfa"],"app_displayname":"(name)","appid":"(guid)","appidacr":"1","idtyp":"user","ipaddr":"2a0e:1d47:cf06:a900:35e6:ced5:a567:6d80","name":"Connor Macaskill","oid":"acfc3793-c64c-4678-a1d5-ac1f0e31f35d","platf":"3","puid":"10032000A31004CF","rh":"0.AUYAa7Gq3gQcuEyvfbJynQ_HmAMAAAAAAAAAwAAAAAAAAADxAOI.","scp":"email openid profile User.Read","signin_state":["kmsi"],"sub":"usg4aQ4awE7-OqDxKUUMg-tNYbPMGDDvN1DRkNs7g3s","tenant_region_scope":"NA","tid":"(guid)","unique_name":"[email protected]","upn":"[email protected]","uti":"PV2ACtNvmEG-zpiA1NQZAA","ver":"1.0","wids":["62e90394-69f5-4237-9190-012177145e10","b79fbf4d-3ef9-4689-8143-76b194e85509"],"xms_idrel":"1 8","xms_st":{"sub":"DQe-mnFW_ahXdkrhRIAeAp57DHh2fAXWzlAh88-1uLA"}"
    ],
    "X-MS-TOKEN-AAD-EXPIRES-ON": [
        "2024-09-25T18:44:59.1748436Z"
    ],
    "X-MS-TOKEN-AAD-ID-TOKEN": [
        "{"typ":"JWT","alg":"RS256","kid":"Mc7l3Iz93g7uwgNeEmmw_WYGPko"}{"aud":"e0866581-bf65-4510-b2c1-a2be3c5b3a98","iss":"https://login.microsoftonline.com/deaab16b-1c04-4cb8-af7d-b2729d0fc798/v2.0","iat":1727285983,"nbf":1727285983,"exp":1727289883,"aio":"AWQAm/8YAAAAxhgpM+O5nPz7caeuG+2NphHQp7tbxFyNHyP9bhm+M8IhGK8s5WJguZuM+uMxRvFFpKM2XtbrTgW8fiNOutQ54RIKPecygBRfplTmNio3LBHfZslUMfVEkz4hQDydkbzU","email":"[email protected]","name":"Connor Macaskill","nonce":"7d00a305ac3b46d9afdc59e717a38bbf_20240925174732","oid":"(guid)","preferred_username":"[email protected]","rh":"0.AUYAa7Gq3gQcuEyvfbJynQ_HmIFlhuBlvxBFssGivjxbOpjxAOI.","sub":"DQe-mnFW_ahXdkrhRIAeAp57DHh2fAXWzlAh88-1uLA","tid":"(guid)","uti":"PV2ACtNvmEG-zpiA1NQZAA","ver":"2.0"}"
    ],
    "X-Original-For": [
        "[::ffff:(ip)]:(port)"
    ]

I agree it's intended behavior for the mapper to map the name_typ and role_typ claims, but unless i'm misunderstanding it seems incorrect that it doesn't then pass these claim types as the "nameType" and "roleType" parameters when constructing the ClaimsIdentity object? As currently it results in the identity being populated with a blank name as it is looking for the (now non-existent) name claim.

Thank you for for your advice in mapping the claims myself, just wanted to ensure I didn't misunderstand how things should be working.

[dasiths]

{
    "auth_typ": "aad",
    "claims": [
       {
          "typ": "role",
          "val": "abc"
       },
       {
          "typ": "name",
          "val": "Connor Macaskill"
       }
    ],
    "name_typ": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "role_typ": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
 }

The mapper just passes the claims to the ClaimsIdentity object and does not do anything special to mark any of the claims as a name or role right now.

Are you suggesting we set the following fields upon constructing the ClaimsIdentity?

• ClaimsIdentity.NameClaimType : https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.nameclaimtype?view=net-8.0#system-security-claims-claimsidentity-nameclaimtype

• ClaimsIdentity.RoleClaimType: https://learn.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity.roleclaimtype?view=net-8.0#system-security-claims-claimsidentity-roleclaimtype

This would require some design changes to allow propagating this extra information. We may need to introduce fields in the ClaimMapResult to store the name_type and role_type information.