Skip to content

Commit 0f94243

Browse files
ksroda-saclaude
andcommitted
fix(dotnet/login-auth-code): disable inbound claim remapping so given_name etc. work
Microsoft's OIDC middleware remaps inbound claims to long xmlsoap URIs by default (given_name -> http://schemas.xmlsoap.org/.../givenname), so user.FindFirst("given_name") in Program.cs returned null and the page rendered "Welcome, there" against real tenants. Setting MapInboundClaims = false keeps OIDC claim names as-is, so FindFirst("given_name"/"family_name"/"email") lines up with both the ID token payload and the claims our test fixture injects. Tests still pass (4/4) because they already use the short claim names. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent d2a43c1 commit 0f94243

2 files changed

Lines changed: 7 additions & 3 deletions

File tree

samples/dotnet/login-auth-code/src/Program.cs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@
2828
options.UsePkce = true;
2929
options.SaveTokens = true;
3030
options.GetClaimsFromUserInfoEndpoint = true;
31+
// Keep OIDC claim names (given_name, family_name, email) as-is — the
32+
// default middleware remaps them to long xmlsoap URIs, which makes
33+
// FindFirst("given_name") return null in user code.
34+
options.MapInboundClaims = false;
3135
options.CallbackPath = "/callback";
3236
options.Scope.Clear();
3337
foreach (var scope in (Environment.GetEnvironmentVariable("SCOPES") ?? "").Split(' '))

snippets.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -253,18 +253,18 @@
253253
{
254254
"step": 2,
255255
"description": "Configure cookie auth + OpenID Connect against your SecureAuth workspace",
256-
"code": "builder.Services.AddAuthentication(options =>\n {\n options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;\n options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;\n })\n .AddCookie()\n .AddOpenIdConnect(options =>\n {\n options.Authority = \"{{ISSUER_URL}}\";\n options.ClientId = \"{{CLIENT_ID}}\";\n options.ClientSecret = \"{{CLIENT_SECRET}}\";\n options.ResponseType = \"code\";\n options.UsePkce = true;\n options.SaveTokens = true;\n options.GetClaimsFromUserInfoEndpoint = true;\n options.CallbackPath = \"/callback\";\n options.Scope.Clear();\n foreach (var scope in (\"{{SCOPES}}\" ?? \"\").Split(' '))\n options.Scope.Add(scope);\n });\n\nbuilder.Services.AddAuthorization();",
256+
"code": "builder.Services.AddAuthentication(options =>\n {\n options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;\n options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;\n })\n .AddCookie()\n .AddOpenIdConnect(options =>\n {\n options.Authority = \"{{ISSUER_URL}}\";\n options.ClientId = \"{{CLIENT_ID}}\";\n options.ClientSecret = \"{{CLIENT_SECRET}}\";\n options.ResponseType = \"code\";\n options.UsePkce = true;\n options.SaveTokens = true;\n options.GetClaimsFromUserInfoEndpoint = true;\n // Keep OIDC claim names (given_name, family_name, email) as-is — the\n // default middleware remaps them to long xmlsoap URIs, which makes\n // FindFirst(\"given_name\") return null in user code.\n options.MapInboundClaims = false;\n options.CallbackPath = \"/callback\";\n options.Scope.Clear();\n foreach (var scope in (\"{{SCOPES}}\" ?? \"\").Split(' '))\n options.Scope.Add(scope);\n });\n\nbuilder.Services.AddAuthorization();",
257257
"file": "src/Program.cs",
258258
"lang": "csharp",
259-
"lines": "14-37"
259+
"lines": "14-41"
260260
},
261261
{
262262
"step": 3,
263263
"description": "Wire routes for sign-in redirect, user display, and sign-out",
264264
"code": "app.MapGet(\"/\", (HttpContext ctx) =>\n ctx.User.Identity?.IsAuthenticated == true\n ? Results.Content(Views.RenderSignedInPage(ctx.User), \"text/html\")\n : Results.Content(Views.RenderSignedOutPage(), \"text/html\"));\n\napp.MapGet(\"/login\", () => Results.Challenge(\n new AuthenticationProperties { RedirectUri = \"/\" },\n [OpenIdConnectDefaults.AuthenticationScheme]));\n\napp.MapGet(\"/logout\", () => Results.SignOut(\n new AuthenticationProperties { RedirectUri = \"/\" },\n [CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme]));",
265265
"file": "src/Program.cs",
266266
"lang": "csharp",
267-
"lines": "44-57"
267+
"lines": "48-61"
268268
}
269269
],
270270
"framework": "dotnet",

0 commit comments

Comments
 (0)