We are developing an ASP.NET core 2.2 web application by using IdentityServer 4 as a gateway to other identity providers following the federation gateway architecture.
The application we are developing is the actual identity provider web application which is, as explained above, just a gateway to some configured upstream identity providers.
The user basically configures his preferred upstream identity providers and our application takes care of configuring IdentityServer4 so that the configured providers are used as external identity providers for identity server itself.
The requirement for the application user is that each configured provider must be compliant with the OpenID connect protocol. Each upstream provider is in fact registered with identity server 4 by using the ASP.NET core authentication handler for OpenID connect.
During the development phase we are testing the application by using Azure active directory B2C and our company's instance of Azure Active Directory as test upstream identity providers.
We ask for 3 different scopes during the authentication: openid
, profile
and email
.
We do so because the only user claims that we need from the external provider are sub
(provided by the openid
scope), given_name
and family_name
(provided by the profile
scope) and email
(provided by the email
scope). Notice that the email
claim is really important for us, because we want to use it as the primary key by which identifying the system users (this is relevant for the Azure Active Directory B2C issue explained below).
These are standard open id connect scopes and claims so we expected to find them easily in our test providers. Unfortunately the reality is different and neither Azure Active Directory nor Azure Active Directory B2C send all of these claims.
What we actually get are the following claims:
sub
,name
andemail
from Azure active directory (given_name
andfamily_name
are missing)sub
,emails
,given_name
andfamily_name
from Azure active directory B2C (notice thatemails
is not a standard claim and from the Azure portal it is classified as StringCollection, so it seems possible to get multiple emails for a user which is not what we want).
My questions are basically the followings:
- is it possible to get the standard OpenID connect
sub
,email
,given_name
, andfamily_name
claims from both Azure Active Directory and Azure Active Directory B2C ? Is it just a matter of configuring them properly ? - is it possible to assume that any identity provider declaring of being compliant with OpenID connect is able to provide us with these four claims ? We would like to avoid cluttering our code base of fallback logic to handle the subtle specificity of different providers
Thanks for helping !