IdentityServer4 - 'sub' claim is missing

Question

I've created a sample MVC application which uses identity server to do the authentication against Google. Authentication works ok but when the response comes back it is missing 'sub' claim and end up with the error that says 'sub claim is missing'.

I read few article which talks about claimmapping to map nameidentifier to sub. but have no idea on how to do that. There are someblog which says to inform google to issue the sub claim. but again not sure how to do that.

Looking forward for some help!

Answer 1

Maybe similar to what I was seeing yesterday. I found a workaround here

Basically some standard claims get mapped to MS proprietary keys by default. You can prevent that by doing : JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

Hope that helps!

Answer 2

Have a look at JwtSecurityTokenHandler.InboundClaimTypeMap. It lets you specify how claims from JWTs are mapped to claims in a ClaimsIdentity. Another option is to investigate the events exposed by the OIDC middleware, they may allow you to intercept and manipulate the claims coming back from Google.

Answer 3

Or more specifically you can also use the following

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");

Answer 4

I also faced a similar issue while getting successfully authenticated from google i didn't received the sub calim. Below is how i solved it.

    AddGoogle("Google", o =>
    {

         o.ClaimActions.MapUniqueJsonKey("sub", "email");
         o.ClientId = "xxxxxx";
         o.ClientSecret = "zzzzzzzz";
         o.Scope.Clear();
         o.Scope.Add(OidcConstants.StandardScopes.OpenId);
         o.Scope.Add(OidcConstants.StandardScopes.Profile);
         o.Scope.Add(OidcConstants.StandardScopes.Email);
     });

Mapping the email claim for ex. to the sub calim of the ClaimsIdentity, does the trick for me.