JWT Token Authentication - Claims not retrieved from token?

Wojt · April 28, 2024, 9:21pm

Hi

I have followed the docs to add authenticated message queue calls by implementing IHasBearerToken. This works for the authentication. However, I am trying to access session details using
var session = base.SessionAs<CustomUserSession>();
and apart from the basic authentication claims like userName etc, none of the other claims have been decoded from the JWT token.

Stepping through the code, and putting a breakpoint at:
public override void PopulateFromClaims(IRequest httpReq, ClaimsPrincipal principal)

I’ve noted this breakpoint is never hit i.e. the session is not populated from the other claims. Is there a way to enable this? If not, I can decode the token and do it manually, but I suspect I’ve just misconfigured something!

Thanks!

mythz · April 29, 2024, 1:14am

JWTs is limited to only contain Essential Information by default. You can add more information to the JWT with CreatePayloadFilter and populate it to the session with PopulateSessionFilter, e.g:

new JwtAuthProvider(AppSettings) 
{
    CreatePayloadFilter = (payload,session) => 
        payload["CreatedAt"] = session.CreatedAt.ToUnixTime().ToString(),

    PopulateSessionFilter = (session,payload,req) => 
        session.CreatedAt = long.Parse(payload["CreatedAt"]).FromUnixTime()
}

Wojt · April 29, 2024, 6:53am

Thanks for the quick response.

Apologies, I should have clarified, I am using ASP.NET Identity. The JWT token is being created by a 3rd party server (Kinde). My client is passing it in the DTO as suggested, and the authentication part works.

There are extra claims in the token, like org_code (I have confirmed that by examining the Request) but they are not being populated in to the session i.e. my CustomUserSession is not being created.

It is easy enough for me to decode the token and grab the claims when I need them, but kind of thought that would be done automatically by servicestack?

I have confirmed that in OnTokenValidated in AddJwtBearer populates the ClaimsPrincipal correctly from the token.

However, in my service, the session returned from base.SessionAs<CustomUserSession>() has none of those extra claims, and base.Request.GetPrincipal() is null as well.

mythz · April 29, 2024, 6:57am

Are these claims on the ASP .NET Principal?

Can use IRequest.GetClaimsPrincipal() to access HttpContext.User:

var claimsPrincipal = req.GetClaimsPrincipal();

Wojt · April 29, 2024, 7:08am

That returns null as well

mythz · April 29, 2024, 7:16am

Then it’s not being populated on the Authenticated Identity Auth User Principal which is what populates ServiceStack Auth Session, you’ll need it populated on the CliamsPrincipal first, then you can populate it on the ServiceStack Session by implementing PopulateFromClaims:

github.com

NetCoreTemplates/blazor-vue/blob/main/MyApp.ServiceInterface/Data/CustomUserSession.cs#L11


      
          using System.Security.Claims;
          using Microsoft.AspNetCore.Identity;
          using Microsoft.Extensions.Options;
          using ServiceStack;
          using ServiceStack.Web;
          
          namespace MyApp.Data;
          
          public class CustomUserSession : AuthUserSession
          {
              public override void PopulateFromClaims(IRequest httpReq, ClaimsPrincipal principal)
              {
                  // Populate Session with data from Identity Auth Claims
                  ProfileUrl = principal.FindFirstValue(JwtClaimTypes.Picture);
              }
          }
          
          /// <summary>
          /// Add additional claims to the Identity Auth Cookie
          /// </summary>
          public class AdditionalUserClaimsPrincipalFactory(

Wojt · April 29, 2024, 7:46am

Yup, doing all that, and registering the CustomSesion as well:

new AuthFeature(IdentityAuth.For<KindeUser>(options => {
        options.SessionFactory = () => new CustomUserSession();
        options.ApplicationAuth();
        options.JwtAuth();
    })   
)

And to clarify, I am only having an issue with authenticated message queue calls when I pass the JwtBearerToken as a parameter in a DTO with IHasBearerToken. Some of the claims are correctly populated from the session like UserId - just none of the Custom stuff from the token - the method PopulateFromClaims in CustomUserSession is never hit.

Using the JSON client from my react app, everything is populating as expected.

mythz · April 29, 2024, 8:47am

The latest v8.2.3 that’s now in Pre Release Packages should use the same Identity ApplicationAuth provider to populate the session that HTTP Requests use.

Which should let you populate existing AuthUserSession properties with MapClaimsToSession dictionary, e.g:

options.ApplicationAuth(c => {
    c.MapClaimsToSession[JwtClaimTypes.Picture] = 
        nameof(AuthUserSession.ProfileUrl);
});

Otherwise PopulateFromClaims() should now be called to populate the session with custom claims

options.ApplicationAuth(); is enabled by default so not needed unless you’re configuring it

Wojt · April 29, 2024, 12:25pm

Thanks. I’ve updated to 8.2.3 and found that PopulateFromClaims is still not hit in the one scenario of an authenticated MQ message with IHasBearerToken.

I can populate the session by creating an overload of PopulateFromClaims that just takes a claims list, then populating it when the session is created:

options.JwtAuth(c =>
{
    c.OnSessionCreated = (session, list, request) =>
    {
        var customSession = (CustomUserSession)session;
        customSession.PopulateFromClaims(list);
    };
});

It has pointed me in a slightly different direction, and I am not sure if this is by design or not:

When I call a service from a client using the JSON service client with the bearer token in the request Authorization headers, then it uses identity JWT bearer authentication (and my event handlers that populate the claims).
When I call a service from the MQ using IHasBearerToken DTOs, the ASP.NET Identity middleware is not used at all, and in IdentityJwtAuthProvider.CreateUserSession(IRequest req, List<Claim> claims), the OriginalRequest is not available and the ClaimsPrincipal is null.

It seems suboptimal for it to bypass the Identity system and also means I have to set up the token validation options etc. twice from what I can see (once to set up Identity and once for ServiceStack Auth).

I am not familiar enough with the inner workings of ServiceStack to investigate any further, but it certainly seems to handle those two scenarios (bearer token in headers vs in DTO) quite differently. Is there somewhere in the source I could be looking?

Thanks ++ for all your help so far.

mythz · April 29, 2024, 1:08pm

Right the Identity Middleware for a HTTP Request is not used, it’s a new Request on a new Endpoint where it has to recreate the Session from the token which it does at:

github.com

ServiceStack/ServiceStack/blob/main/ServiceStack/src/ServiceStack.Extensions/Auth/IdentityJwtAuthProvider.cs#L337


      
              var token = req.GetJwtToken();
              if (!string.IsNullOrEmpty(token) && 
                  !(req.Items.TryGetValue(Keywords.Session, out var oSession) && oSession is IAuthSession { IsAuthenticated: true }))
              {
                  var user = req.GetClaimsPrincipal();
                  if (!user.IsAuthenticated())
                  {
                      user = new JwtSecurityTokenHandler().ValidateToken(token,
                          Options!.TokenValidationParameters, out SecurityToken validatedToken);
                  }
                  var session = CreateSessionFromClaims(req, user);
                  req.Items[Keywords.Session] = session;
              }
              return Task.CompletedTask;
          }
          
          public async Task MessageReceivedAsync(MessageReceivedContext ctx)
          {
              var auth = ctx.Request.Headers.Authorization.ToString();
              ctx.Token = auth.StartsWith("Bearer ")
                  ? auth.Substring("Bearer ".Length)

I’m surprised you’re saying PopulateFromClaims() is not being called since it uses AuthApplication to populate the Session at:

github.com

ServiceStack/ServiceStack/blob/main/ServiceStack/src/ServiceStack.Extensions/Auth/IdentityJwtAuthProvider.cs#L412


      
          public virtual IAuthSession CreateSessionFromClaims(IRequest req, ClaimsPrincipal principal)
          {
              var claims = principal.Claims.ToList();
              var sessionId = claims.FirstOrDefault(x => x.Type == "jid")?.Value ?? HostContext.AppHost.CreateSessionId();
              var session = SessionFeature.CreateNewSession(req, sessionId);
          
              session.IsAuthenticated = true;
              session.AuthProvider = Name;
              session.FromToken = true;
          
              IdentityAuth.AuthApplication.PopulateSession(req, session, principal);
          
              OnSessionCreated?.Invoke(session, claims, req);
          
              HostContext.AppHost.OnSessionFilter(req, session, sessionId);
              return session;
          }
          
          public virtual async Task ExecuteAsync(AuthFilterContext authContext)
          {
              var session = authContext.Session;

Which it then calls PopulateFromClaims at:

github.com

ServiceStack/ServiceStack/blob/main/ServiceStack/src/ServiceStack.Extensions/Auth/IdentityApplicationAuthProvider.cs#L196


      
                  {
                      meta[claim.Type] = claim.Value;
                  }
              }
          
              session.PopulateFromMap(sessionValues);
          
              if (session.UserAuthName?.IndexOf('@') >= 0 && session.Email == null)
                  session.Email = session.UserAuthName;
          
              extended?.PopulateFromClaims(req, claimsPrincipal);
          
              PopulateSessionFilter?.Invoke(session, claimsPrincipal, req);
          
              session.OnCreated(req);
          }
          
          public virtual async Task PopulateSessionAsync(IRequest req, IAuthSession session, ClaimsPrincipal claimsPrincipal, string? source = null)
          {
              PopulateSession(req, session, claimsPrincipal, source);

Are you sure you’re running the latest v8.2.3? Does your Session inherit the normal AuthUserSession base class?

Wojt · April 29, 2024, 8:02pm

Sigh, for some reason it seemed to still be using 8.2.2 despite all the packages being updated. It is working once I’ve cleaned and rebuilt.

Thanks for your help - that all works and makes more sense to me as well!