When mapping an OpenID-Connect server to the new Umbraco asp.net identity setup in the backoffice, there is an issue with autolinking and claim mapping. The default claimType for Name in Umbraco(And most oAuth situations) is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", but for OpenIDConnect the claim type by default is just "name".
This is not a bug with Umbraco necessarily, asp.net identity is providing the mappings, but some means should be provided to allow names to be dynamically passed in as there is no set naming standard for this field.
When left un-altered this causes Umbraco to error when a null value is encountered.
Value cannot be null.
Parameter name: value
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: value
Source Error:
Line 200:
Line 201: if (HasClaim(x => x.Type == ClaimTypes.GivenName) == false)
Line 202: AddClaim(new Claim(ClaimTypes.GivenName, UserData.RealName, ClaimValueTypes.String, Issuer, Issuer, this));
Line 203:
Line 204: if (HasClaim(x => x.Type == Constants.Security.StartContentNodeIdClaimType) == false)
This is an example of a debug where the "name" claim is passed back to the asp.net identity.
Name null string
NameClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" string
And this is the actual claim passed from an OpenIDConnect server
Just in case anyone else wanders across this, it is possible to re-map the claims, it's just well buried(And I gave up looking too quickly). In your OpenIdConnectAuthenticationOptions, add in this code as a new option:
Actually, this needs elevating... If the name does not match, and the code errors, the externalprovider is not cleared down. When the user tries to login again the user is automatically mapped to the first user in the database, usually an admin!!
I'm new to the Umbraco community(Long time user, short term poster), so not sure how to raise this as a security issue? Plz halp.
Error with OpenID-Connect claim mapping
When mapping an OpenID-Connect server to the new Umbraco asp.net identity setup in the backoffice, there is an issue with autolinking and claim mapping. The default claimType for Name in Umbraco(And most oAuth situations) is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", but for OpenIDConnect the claim type by default is just "name".
This is not a bug with Umbraco necessarily, asp.net identity is providing the mappings, but some means should be provided to allow names to be dynamically passed in as there is no set naming standard for this field.
When left un-altered this causes Umbraco to error when a null value is encountered.
This is an example of a debug where the "name" claim is passed back to the asp.net identity.
And this is the actual claim passed from an OpenIDConnect server
{name: Bob2Smith2} System.Security.Claims.ClaimJust in case anyone else wanders across this, it is possible to re-map the claims, it's just well buried(And I gave up looking too quickly). In your OpenIdConnectAuthenticationOptions, add in this code as a new option:
Notifications = new OpenIdConnectAuthenticationNotifications { SecurityTokenValidated = (context) => { ClaimsIdentity claimsId = context.AuthenticationTicket.Identity; claimsId.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", claimsId.FindFirst("name").Value.ToString())); return Task.FromResult(0); } }Actually, this needs elevating... If the name does not match, and the code errors, the externalprovider is not cleared down. When the user tries to login again the user is automatically mapped to the first user in the database, usually an admin!!
I'm new to the Umbraco community(Long time user, short term poster), so not sure how to raise this as a security issue? Plz halp.
is working on a reply...