Get claims from jwt token into context.User.Claims

Question

I'm trying to get claims from the JWT token into context.User.Claims in my ASP.NET Core 5 Web API. I'm using Azure and have registered an app in Azure AD in our tenant.

The code is in an Authorization handler.

When I read the JWT token ( context.Request.Headers["Authorization"] ) using JwtSecurityTokenHandler , I can get all claims, but my context.User.Claims is still empty.

The aud and iss values show up as:

[aud, https://graph.microsoft.com]
[iss, https://sts.windows.net/[tenant-id]/]

This is my Startup.ConfigureServices() method:

services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(option =>
{
    option.Audience = audience;
    option.Authority = authority; 
    option.TokenValidationParameters = new TokenValidationParameters
    {
        ClockSkew = TimeSpan.FromHours(1), 
        ValidateLifetime = true,
        ValidateIssuer = true,
        ValidIssuer = authority,
        ValidateAudience = true,
        ValidAudience = audience
    };
});

What am I supposed to put in audience and authority ? I have tested the values I got from the JWT token (above).

I have also tried with:

• authority (issuer): https://login.microsoftonline.com/[tenant-id]/v2.0

• audience: app://[client-id]

and all combinations. Same result

Answer 1

Initially, try to decode the token using jwt.ms and check what claims the token contains.

• For Audience parameter, you can use the Application ID URI (api://your_app_id) or scope ( https://graph.microsoft.com ).

• For Authority parameter, you can use the address of the token-issuing authentication server. Please note that, issuer value differs depending on the type of token you are generating (v1.0/v2.0).

• For v1.0 token -> https://sts.windows.net< Azure AD Tenant GUID>/

• For v2.0 token -> https://login.microsoftonline.com<Azure AD Tenant GUID>/v2.0

To confirm and know more about the parameters, refer to the blog by Jeffrey Fritz .

To receive the claims, make sure to add [Authorize] attribute with HTTP context header.

Please check whether you included app.UseAuthorization or not.

Make sure to call the middleware in the order like below from this MS Doc :

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();

If the issue persists, then try to modify the Startup.cs -> ConfigureServices() method as mentioned in this blog .

You can refer to the links below that can give you some pointers to resolve the issue:

identityserver4 - User.Claims is empty ASP.NET 5.0 - Stack Overflow

.NET Core Web API HttpContext.User.Claimsare always null - Stack Overflow

Answer 2

I suspect you are getting the wrong type of JWT, with a nonce field in the JWT header, that does not validate properly in your own APIs. To fix this there is an Expose an API scope option.

There are some visual details about this from step 3 of my blog post from a few years back. You can then configure the issuer and audience as in my API code example config .