Add option to `AddBearerToken()` for sending unprotected jwt access token when using Bearer Scheme

[ahmed-abdelrazek]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

i want my front end (web-mobile-desktop) to be able to read the claims in the access token

Describe the solution you'd like

an option like this that send unprotected jwt access token would be nice

Additional context

No response

[ahmed-abdelrazek]

#59444 (comment)

[mguinness]

To clarify, OP is requesting an additional property be added to the BearerTokenOptions class. Hard to discern from just a screenshot.

[ahmed-abdelrazek]

To clarify, OP is requesting an additional property be added to the BearerTokenOptions class. Hard to discern from just a screenshot.

no just an idea on how it might get activated (the identity server access token being decrypted jwt)

[blowdart]

If the token is issued by an oauth server and is meant for the back end your front end should be treating it as opaque. Whilst it's typical a oauth server issues a jwt it is by no means guaranteed, and even if it is a jwt, it may be an encrypted jwt, which only the system for which it's issued can decrypt.

This takes the simple asp.net identity jwt issuance further away from how an identity issuer should work, and makes it less compatible with AAD and others.

[ahmed-abdelrazek]

@blowdart in my case tokens are meant for the front end and i don't want the front to send extra requests to get the same info that already exist in the access token

and what i meant by decrypted/unprotected jwt is something like this

and not the current one which as far as i know is protected jwt

i'm not asking for one or the other but the option to choose between the 2 maybe something like

[mguinness]

I think the OP's issue is related to make the new asp core 8 IdentityConstants.BearerScheme "unprotected" in that he wants to decode the bearer token. However based on Use token-based authentication this is not the use case.

The tokens aren't standard JSON Web Tokens (JWTs). The use of custom tokens is intentional, as the built-in Identity API is meant primarily for simple scenarios.

It's a common misconception that is also discussed in How I Can Decode New .Net 8 AccessToken To Get User Information?

[blowdart]

And that was a deliberate choice to not lead people into thinking it was an oauth identity service.

A choice would should, imo, continue

[ahmed-abdelrazek]

@blowdart what about an option to return id token as jwt beside the access and refresh tokens?

[blowdart]

I point back to

that was a deliberate choice to not lead people into thinking it was an oauth identity service.

If you want an oauth service there are plenty to choose from.

[ahmed-abdelrazek]

I point back to

that was a deliberate choice to not lead people into thinking it was an oauth identity service.

If you want an oauth service there are plenty to choose from.

i understand the sentiment if you want more features or full fledged identity server try microsoft entra or openiddict or duende or anyother service out there

it's easier to start a new project with microsoft identity and the default templates specially if the project is small enough and you don't want any other feature
the only thing missing right now (at least for me) is the frontend projects react angular or vue even blazor wasm reading the claims from the token (without extra requests to the backend) and as a work around i rewrite the signin flow to return custom jwt

so i thought it would be nice if that was built in the default library