OpenIdConnect: setting the ClaimsIssuer property in configuration options has no effect

[amoszheng]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When using the package Microsoft.AspNetCore.Authentication.OpenIdConnect in an ASP.NET Core application to add external login providers supporting OpenId Connect protocol, setting the ClaimsIssuer property in OpenIdConnectOptions has no effect; the principal claims still get generated with the issuer that comes from the external identity provider.

This behavior is in contrast with other social media login providers (Microsoft Account, Facebook, Google, etc.) where specifying this property in the configuration options would cause the principal claims to be issued with the specified claims issuer.

Is is possible to fix that so the ClaimsIssuer option in the OpenId Connect client works the same way it does in other social login provider packages? That way we can use it for any external identity provider that supports the OpenId Connect protocol but does not have a specific package built for it.

Expected Behavior

Once the ClaimsIssuer property of the OpenIdConnectOptions is set, the principal claims should be issued with the specified claims issuer.

Steps To Reproduce

1. Configure the OpenIdConnect client with any identity provider that supports OpenId Connect;
2. Set the ClaimsIssuer property to something different (e.g. "MyCustomIssuer") in .AddOpenIdConnect() configuration;
3. Verify that the actual issuer of the principal claims is unchanged.

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[adityamandaleeka]

Let's investigate and see whether this is an IdentityModel limitation or we just need to pass something through.

Thanks for contacting us.
We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Thanks for contacting us.
We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. Because it's not immediately obvious that this is a bug in our framework, we would like to keep this around to collect more feedback, which can later help us determine the impact of it. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[Tratcher]

ClaimsIssuer is used by implementations that create Claims from sources that don't provide that information. E.g.

aspnetcore/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs

Line 243 in f96dce6

claims.Add(new Claim("issuer", issuer, ClaimValueTypes.String, Options.ClaimsIssuer));

OpenIdConnect actually has an issuer concept built in, that's what's used to validate the token and create the Claims.

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Lines 1239 to 1248 in 971df4c

	if (_configuration != null)
	{
	var issuer = new[] { _configuration.Issuer };
	validationParameters.ValidIssuers = validationParameters.ValidIssuers?.Concat(issuer) ?? issuer;
	validationParameters.IssuerSigningKeys = validationParameters.IssuerSigningKeys?.Concat(_configuration.SigningKeys)
	?? _configuration.SigningKeys;
	}
	var principal = Options.SecurityTokenValidator.ValidateToken(idToken, validationParameters, out SecurityToken validatedToken);

Since the validation and claims creation steps are linked together within IdentityModel, that's not something we can change. The closest we could manage is to re-write the identity after it's created.

Why do you need to change the issuer?

Hi @amoszheng. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.