Duplicate claims (type + value) emitted if different issuer

[JscNZ]

IdentityServer version

7.1.0

.NET version

.net 9

Description

When updating to 7.1.0 from 7.0.8 we started getting duplicate claims emitted in tokens. See DuendeSoftware/products#1546 (comment) for more information. The issuer used to not be taken into account when calling distinct on access token claims.

Reproduction steps

Add 2 duplicate claims to your authenticated principal that have distinct issuers. When The DefaultTokenService calls .Distinct() on the claims the different issuer means they are still emitted in the token.

Expected behavior

Either a minor breaking change or it's fixed to go back to existing behaviour

claims.Distinct(new ClaimComparer(new ClaimComparer.Options
            {
                IgnoreIssuer = true
            })).ToList();

Logs

No response

Additional context

No response

[RolandGuijt]

Are you using the server-side sessions feature?

[JscNZ]

No we are not - the same change to persist the Issuer for server side sessions applied to persisted grants during the authorization code process.

From what I can tell ultimately the AuthorizeEndpoint.ProcessAsync calls into DefaultGrantStore and under the hood it's calling the
Duende.IdentityServer.Stores.Serialization.ClaimConverter which uses the ClaimLite (https://github.com/DuendeSoftware/IdentityServer/blob/ffa4da997b44dcb32103bb26a919fb14cd1cf0f5/src/Storage/Stores/Serialization/ClaimConverter.cs#L25) for serializing the grant which is the object the Issuer was now added to. So the claims for the Subject now include the Issuer.

[RolandGuijt]

Your analysis is correct. Formerly it was a shortcoming in our code to not include the issuer and that was fixed.
Can you help us understand why this is an issue for you: why are you using multiple issuers? Is that a deliberate choice?

[JscNZ]

It was only an issue in that it identified an existing bug in our code where we were adding duplicate claims (and they had independent issuers inadvertently) which started showing up in our tokens after upgrading. If the DuendeSoftware/products#1546 issue / change log had indicated it was affecting more than just server side sessions I wouldn't have glanced over it and probably realised why the behaviour changed!

We've resolved the bug on our side so it's not a problem going forwards just a minor change (persisting the issuer in those persisted grants). If an indication of that change is backfilled into the existing 7.1.0 release notes I think that would be fine.

[josephdecock]

Thanks for bringing this up. I added a note to the release notes:

As part of this work, we made claim comparison take issuer into account more strictly. Some users have noticed duplicate claims in tokens because they had duplicate claims in their session with distinct issuers.

[JscNZ]

Thanks for bringing this up. I added a note to the release notes:

As part of this work, we made claim comparison take issuer into account more strictly. Some users have noticed duplicate claims in tokens because they had duplicate claims in their session with distinct issuers.

Thanks that looks great.