Missing claims in ASP.NET Core 2.0 OpenID Connect

We have been migrating couple of projects to ASP.NET Core 2.0 recently. Amongst the major changes in ASP.NET Core 2.0, probably the biggest change has been done in the Authentication. I have written an article about cookie size in ASP.NET Core which explains the basic issue with too many claims in the identity. ASP.NET Core 2.0 OIDC addresses this by removing some of the token values from the identity on the background.

Honestly, I wouldn’t have noticed this issue unless the project used reauthentication with Azure AD. After migrating to ASP.NET Core 2.0, the reauthentication basically stopped working and was constantly prompting for authentication again, again and again in a loop. After a while of debugging I noticed that the auth_time property is missing from the claims!

After looking through the JWT token’s claims, I was sure that the issue was in the middleware itself. Going through the source code on GitHub, I found that some of the claims are being automatically removed including auth_time. You can see the code here.

So the solution? Quite simple, in the OIDC configuration, just specify which claims you want to keep or additional claims to remove, like so:

By using this method, you can include other token values which would have been otherwise omitted by the default configuration. Those include:

  • nonce
  • aud
  • azp
  • acr
  • amr
  • iss
  • iat
  • nbf
  • exp
  • at_hash
  • c_hash
  • auth_time
  • ipaddr
  • platf
  • ver

Author: Jan Hajek

I am Honza, hi.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.