From e671c3e92b177cffe1c5a51dcaa0524103f15a15 Mon Sep 17 00:00:00 2001 From: Amund Myrbostad Date: Tue, 7 Jan 2025 10:37:47 +0100 Subject: [PATCH 1/5] ClaimsPrincipal ACR is of type "http://schemas.microsoft.com/claims/authnclassreference" --- .../Common/Extensions/ClaimsPrincipalExtensions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs index 0ebda5a25..13c7adcc3 100644 --- a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs @@ -20,7 +20,7 @@ public static class ClaimsPrincipalExtensions private const char IdDelimiter = ':'; private const string IdPrefix = "0192"; private const string AltinnClaimPrefix = "urn:altinn:"; - private const string IdportenAuthLevelClaim = "acr"; + private const string IdportenAuthLevelClaim = "http://schemas.microsoft.com/claims/authnclassreference"; private const string AuthorizationDetailsClaim = "authorization_details"; private const string AuthorizationDetailsType = "urn:altinn:systemuser"; private const string AltinnAuthLevelClaim = "urn:altinn:authlevel"; From 04584a52a22e4f76a6d7c39c9eadc39c2a457b75 Mon Sep 17 00:00:00 2001 From: Amund Myrbostad Date: Tue, 7 Jan 2025 11:48:53 +0100 Subject: [PATCH 2/5] Updated tests --- .../V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs b/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs index 938d1c6d6..86a1276b2 100644 --- a/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs +++ b/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs @@ -10,7 +10,7 @@ public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level3 { // Arrange var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity([ - new Claim("acr", "idporten-loa-substantial") + new Claim("http://schemas.microsoft.com/claims/authnclassreference", "idporten-loa-substantial") // acr ])); // Act @@ -26,7 +26,7 @@ public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level4 { // Arrange var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity([ - new Claim("acr", "idporten-loa-high") + new Claim("http://schemas.microsoft.com/claims/authnclassreference", "idporten-loa-high") // acr ])); // Act From 8588ab509a89a4d4ca8517a6792eeb8e9b7189b4 Mon Sep 17 00:00:00 2001 From: Amund Myrbostad Date: Wed, 8 Jan 2025 11:05:02 +0100 Subject: [PATCH 3/5] Now checks for "acr" and "http://schemas.microsoft.com/claims/authnclassreference" --- .../Common/Extensions/ClaimsPrincipalExtensions.cs | 7 +++++-- .../V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs index 13c7adcc3..f7b0baa86 100644 --- a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs @@ -20,7 +20,8 @@ public static class ClaimsPrincipalExtensions private const char IdDelimiter = ':'; private const string IdPrefix = "0192"; private const string AltinnClaimPrefix = "urn:altinn:"; - private const string IdportenAuthLevelClaim = "http://schemas.microsoft.com/claims/authnclassreference"; + private const string IdportenAuthLevelClaim = "acr"; // acr + private const string IdportenAuthLevelClaimUrl = "http://schemas.microsoft.com/claims/authnclassreference"; // acr private const string AuthorizationDetailsClaim = "authorization_details"; private const string AuthorizationDetailsType = "urn:altinn:systemuser"; private const string AltinnAuthLevelClaim = "urn:altinn:authlevel"; @@ -188,7 +189,9 @@ public static bool TryGetAuthenticationLevel(this ClaimsPrincipal claimsPrincipa return true; } - if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue)) + // Something is converting "acr" to "http://schemas.microsoft.com/claims/authnclassreference" + // https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs also maps "acr" to "http://schemas.microsoft.com/claims/authnclassreference" + if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaimUrl, out claimValue) || claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue)) { // The acr claim value is either "idporten-loa-substantial" (previously "Level3") or "idporten-loa-high" (previously "Level4") // https://docs.digdir.no/docs/idporten/oidc/oidc_protocol_new_idporten#new-acr-values diff --git a/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs b/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs index 86a1276b2..938d1c6d6 100644 --- a/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs +++ b/tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/Features/V1/Common/Extensions/ClaimsPrincipalExtensionsTests.cs @@ -10,7 +10,7 @@ public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level3 { // Arrange var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity([ - new Claim("http://schemas.microsoft.com/claims/authnclassreference", "idporten-loa-substantial") // acr + new Claim("acr", "idporten-loa-substantial") ])); // Act @@ -26,7 +26,7 @@ public void TryGetAuthenticationLevel_Should_Parse_Idporten_Acr_Claim_For_Level4 { // Arrange var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity([ - new Claim("http://schemas.microsoft.com/claims/authnclassreference", "idporten-loa-high") // acr + new Claim("acr", "idporten-loa-high") ])); // Act From 37589cc484ddd1430ec694d27f0e023e827ba296 Mon Sep 17 00:00:00 2001 From: Amund Myrbostad Date: Thu, 9 Jan 2025 10:26:44 +0100 Subject: [PATCH 4/5] Turned off Inbound Claim mapping --- .../Common/Extensions/ClaimsPrincipalExtensions.cs | 7 ++----- .../Authentication/AuthenticationBuilderExtensions.cs | 6 ++++++ .../Authentication/AuthenticationBuilderExtensions.cs | 5 +++++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs index f7b0baa86..0ebda5a25 100644 --- a/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs @@ -20,8 +20,7 @@ public static class ClaimsPrincipalExtensions private const char IdDelimiter = ':'; private const string IdPrefix = "0192"; private const string AltinnClaimPrefix = "urn:altinn:"; - private const string IdportenAuthLevelClaim = "acr"; // acr - private const string IdportenAuthLevelClaimUrl = "http://schemas.microsoft.com/claims/authnclassreference"; // acr + private const string IdportenAuthLevelClaim = "acr"; private const string AuthorizationDetailsClaim = "authorization_details"; private const string AuthorizationDetailsType = "urn:altinn:systemuser"; private const string AltinnAuthLevelClaim = "urn:altinn:authlevel"; @@ -189,9 +188,7 @@ public static bool TryGetAuthenticationLevel(this ClaimsPrincipal claimsPrincipa return true; } - // Something is converting "acr" to "http://schemas.microsoft.com/claims/authnclassreference" - // https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs also maps "acr" to "http://schemas.microsoft.com/claims/authnclassreference" - if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaimUrl, out claimValue) || claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue)) + if (claimsPrincipal.TryGetClaimValue(IdportenAuthLevelClaim, out claimValue)) { // The acr claim value is either "idporten-loa-substantial" (previously "Level3") or "idporten-loa-high" (previously "Level4") // https://docs.digdir.no/docs/idporten/oidc/oidc_protocol_new_idporten#new-acr-values diff --git a/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs b/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs index f5a8a32e3..f2fc05e00 100644 --- a/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs @@ -1,6 +1,7 @@ using Microsoft.IdentityModel.Tokens; using Microsoft.AspNetCore.Authentication.JwtBearer; using System.Diagnostics; +using System.IdentityModel.Tokens.Jwt; namespace Digdir.Domain.Dialogporten.GraphQL.Common.Authentication; @@ -10,6 +11,7 @@ public static IServiceCollection AddDialogportenAuthentication( this IServiceCollection services, IConfiguration configuration) { + // JwtSecurityTokenHandler.DefaultMapInboundClaims = false; var jwtTokenSchemas = configuration .GetSection(GraphQlSettings.SectionName) .Get()? @@ -22,6 +24,10 @@ public static IServiceCollection AddDialogportenAuthentication( services.AddSingleton(); + // Turn off mapping InboundClaims names to its longer version + // "acr" => "http://schemas.microsoft.com/claims/authnclassreference" + JwtSecurityTokenHandler.DefaultMapInboundClaims = false; + var authenticationBuilder = services.AddAuthentication(); foreach (var schema in jwtTokenSchemas) diff --git a/src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs b/src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs index 52e17c184..e0d8a3981 100644 --- a/src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/AuthenticationBuilderExtensions.cs @@ -1,6 +1,7 @@ using Microsoft.IdentityModel.Tokens; using Microsoft.AspNetCore.Authentication.JwtBearer; using System.Diagnostics; +using System.IdentityModel.Tokens.Jwt; namespace Digdir.Domain.Dialogporten.WebApi.Common.Authentication; @@ -24,6 +25,10 @@ public static IServiceCollection AddDialogportenAuthentication( services.AddSingleton(); + // Turn off mapping InboundClaims names to its longer version + // "acr" => "http://schemas.microsoft.com/claims/authnclassreference" + JwtSecurityTokenHandler.DefaultMapInboundClaims = false; + var authenticationBuilder = services.AddAuthentication(); foreach (var schema in jwtTokenSchemas) From cce2e49accf28c04c58ee267567ed7cbab0e6441 Mon Sep 17 00:00:00 2001 From: Amund Myrbostad Date: Thu, 9 Jan 2025 10:31:55 +0100 Subject: [PATCH 5/5] Clean up --- .../Common/Authentication/AuthenticationBuilderExtensions.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs b/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs index f2fc05e00..660c27cf8 100644 --- a/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs +++ b/src/Digdir.Domain.Dialogporten.GraphQL/Common/Authentication/AuthenticationBuilderExtensions.cs @@ -11,7 +11,6 @@ public static IServiceCollection AddDialogportenAuthentication( this IServiceCollection services, IConfiguration configuration) { - // JwtSecurityTokenHandler.DefaultMapInboundClaims = false; var jwtTokenSchemas = configuration .GetSection(GraphQlSettings.SectionName) .Get()?