ClaimsPrincipal obtained through ISecurityTokenValidator.ValidateToken is changing name of SCP claim

0
votes

I'm currently working with Azure Active Directory access tokens and .NET Core 3.1. The access tokens I request produce the following claim:

{
...
"scp": "MyScope.Create MyScope.Search"
...
}

However, after running the verification of the access token, the name of the claim "scp" changes to "http://schemas.microsoft.com/identity/claims/scope"

SecurityToken securityToken;
ClaimsPrincipal claimsPrincipal = tokenValidator.ValidateToken(accessToken, myValidationParameters, out securityToken);
return claimsPrincipal;

Also, as you can see in the image, not all claims are changed, some stay as they were created like aud or iss, but scp changes to "http://schemas.microsoft..." (like if this was a v1 token, but it is v2)

Is this something expected, or is there something I should be configuring so the claims stay as the should be.

claims after validation

Thanks!

2
c#access-tokenmsal.net-core-3.1

2 Answers

2
votes

There is also this option to set in the ConfigureServices() on Startup.cs:

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

This flag prevents the mapping, so your claim names won't change.

1
votes

this is expected behavior, there is something called InboundClaimTypeMap which somewhere along the way gets called to transform them into long format to work with some other things like wsfed. There is a way to work around it

as per this thread: https://github.com/dotnet/aspnetcore/issues/4660 at the very bottom, he mentions you can put this in your startup to prevent the remapping to legacy claims

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
JwtSecurityTokenHandler.DefaultOutboundClaimTypeMap.Clear();

Hope that clears it up for you,