user-jwts does not support different Name and NameIdentifier claim

[HakamFostok]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

basically what I want is to set name and nameIdentifier to different values, this is what I am trying to accomplish.

I am using user-jwts and here is my command

dotnet user-jwts create --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=hakan@example.com" --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=hakan"

I am not providing the --name, I know, but I tried that, and did not achieve what I wanted either.

what I am getting basically from the above command is duplicated claims, I am getting the name claim twice, and the name identifier twice,
The first pair of name and nameidentifier claims are set to the default windows user (this is expected by the documentation as I am not specifying anything to the --name option)
the second pair of name and nameidentifier claims are set to the second claim I specify in the above command hakan.

What I am trying to do is just set those 2 claims to different values (without duplicating them).
Is this a bug? or is this by design?

I tried to work around this by using IClaimsTransformation interface, but it only allow to add new claims not to modify or deleted the duplicated claims.

if this is confirmed a bug, maybe I can help with it

Thank you

Expected Behavior

name and nameidentifier claims should be allowed to set to different values

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

7.0.401

Anything else?

No response

[HakamFostok]

@captainsafia I hope you can help with this, as I can see from the repo, that you are the one with the most experience on the user-jwts tool

Thank you

[captainsafia]

@HakamFostok Thanks for reporting this issue!

I did a bit of debugging into this and I believe the issue might be in the Microsoft.IdentityModel.Tokens APIs. The JWT that is produced has the correct properties when I analyze it with a different parser but duplicate claims are produced when the we decode the JWT bearer token.

Try filing an issue over at https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet to see if they might be able to provide a clue there.

[HakamFostok]

Thank you @captainsafia
actually, you are right, I noticed the duplication when I used the token to make a request to the API.
I opened the bug in the repo you redirected to

thank you very much

[HakamFostok]

Hi @captainsafia
I'm really sorry for bothering you, but the bug I opened on the mentioned repo has been closed (without a lot of explanation at least in my opinion) they think the bug is not related to them, but I really did not understand how they came to that decision.
What are the possible next steps?

Thank you a lot

[captainsafia]

@HakamFostok Do you have a link to the issue that you opened? I can take a look and see.

[HakamFostok]

Sure @captainsafia here is the link AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2382

[captainsafia]

OK, what I think I understand from the issue is the fact that the schema-based claim ID maps to the well-defined names after the default set has been populated by the tokens API.

So, you get two values per claim: the one derived from the URL and one from the claim name.

What happens when you use the claim name directly from the user-jwts tool?

Hi @HakamFostok. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[HakamFostok]

Hi @captainsafia

I tested that but it did not work

when I am using the following statement

dotnet user-jwts create --name hakan@example.com --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier=hakan"

I get the following claims

{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: hakan@example.com}
{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: hakan@example.com}
{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: hakan}

as you can see, instead of overriding the nameidentifier claim it duplicating it, which cause my application problems to find the value of this claim.

I tried another way, to override the name claim instead of overriding the nameidentifier but I get the duplication in another way.

dotnet user-jwts create --name hakan@example.com --claim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=hakan"

I get the following claims

{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: hakan@example.com}
{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: hakan}
{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: hakan@example.com}

now the name claim is duplicated.

Again my goal is to set the name and the nameidentifier to different values (whatever the way to achieve that) but without duplicating the claims, but it appears to me that there is no way to do that using the user-jwts tool.

The conclusion that I reached with all my testing is the following:
the using of the --name options will set the both claims of name AND nameidentifier and all the custom claims will be added above that.
If the --name options is not set, then the tool will again set both claims of name AND nameidentifier to the default windows user, and again all the custom claims will be added above that.

I do not want to have the same value for name AND nameidentifier claims, I want to have different values for them.

Thank you