leastprivilege.com

Improvements in Claim Mapping in the ASP.NET Core 2.1 OpenID Connect Handler

Here I described the various layers of claim mappings going on when doing OpenID Connect with ASP.NET Core.

Based on our feedback, the ASP.NET team added another mapping option to reduce the amount of “magic” going on, and thus makes it less confusing to get the expected claims in your client applications.

The new mapping is called MapAllExcept which does exactly what you think it does – it maps all the claims except the ones you don’t care about, e.g.:

options.ClaimActions.MapAllExcept("iss""nbf""exp""aud""nonce""iat""c_hash");

This strips the protocol claims that you are not interested in, and all other claims get mapped forward (sample here). You still have to opt-out from the mapping to Microsoft proprietary claims – but well, we’ll get there eventually…