Turned off Inbound Claim mapping

src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs

@@ -20,8 +20,7 @@ public static class ClaimsPrincipalExtensions
     private const char IdDelimiter = ':';
     private const string IdPrefix = "0192";
     private const string AltinnClaimPrefix = "urn:altinn:";
-    private const string IdportenAuthLevelClaim = "acr"; // acr
-    private const string IdportenAuthLevelClaimUrl = "http://schemas.microsoft.com/claims/authnclassreference"; // acr
+    private const string IdportenAuthLevelClaim = "acr";
     private const string AuthorizationDetailsClaim = "authorization_details";
     private const string AuthorizationDetailsType = "urn:altinn:systemuser";
     private const string AltinnAuthLevelClaim = "urn:altinn:authlevel";
@@ -189,9 +188,7 @@ public static bool TryGetAuthenticationLevel(this ClaimsPrincipal claimsPrincipa
             return true;
         }
 
-        // Something is converting "acr" to "http://schemas.microsoft.com/claims/authnclassreference"
-        // https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs also maps "acr" to "http://schemas.microsoft.com/claims/authnclassreference"
-        if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaimUrl, out claimValue) || claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue))
+        if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue))
         {
             // The acr claim value is either "idporten-loa-substantial" (previously "Level3") or "idporten-loa-high" (previously "Level4")
             // https://docs.digdir.no/docs/idporten/oidc/oidc_protocol_new_idporten#new-acr-values

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs

@@ -1,6 +1,7 @@
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using System.Diagnostics;
+using System.IdentityModel.Tokens.Jwt;
 
 namespace Digdir.Domain.Dialogporten.GraphQL.Common.Authentication;
 
@@ -10,6 +11,7 @@ public static IServiceCollection AddDialogportenAuthentication(
         this IServiceCollection services,
         IConfiguration configuration)
     {
+        // JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
         var jwtTokenSchemas = configuration
             .GetSection(GraphQlSettings.SectionName)
             .Get<GraphQlSettings>()?
@@ -22,6 +24,10 @@ public static IServiceCollection AddDialogportenAuthentication(
 
         services.AddSingleton<ITokenIssuerCache, TokenIssuerCache>();
 
+        // Turn off mapping InboundClaims names to its longer version
+        // "acr" => "http://schemas.microsoft.com/claims/authnclassreference"
+        JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+
         var authenticationBuilder = services.AddAuthentication();
 
         foreach (var schema in jwtTokenSchemas)

src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs

@@ -1,6 +1,7 @@
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using System.Diagnostics;
+using System.IdentityModel.Tokens.Jwt;
 
 namespace Digdir.Domain.Dialogporten.WebApi.Common.Authentication;
 
@@ -24,6 +25,10 @@ public static IServiceCollection AddDialogportenAuthentication(
 
         services.AddSingleton<ITokenIssuerCache, TokenIssuerCache>();
 
+        // Turn off mapping InboundClaims names to its longer version
+        // "acr" => "http://schemas.microsoft.com/claims/authnclassreference"
+        JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
+
         var authenticationBuilder = services.AddAuthentication();
 
         foreach (var schema in jwtTokenSchemas)