OIDC handler bug in user info response handling for multiple claims of same type

[brockallen]

Imagine user info endpoint returns this:

{"sub":"88421113","email":"BobSmith@email.com","email_verified":true,"role":["role1","role2"]}

This line: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L788

Adds the role claim with this as the value: [ "role1", "role2" ].

It should break the array into multiple claims. Here's an extension method that already does this: https://github.com/IdentityModel/IdentityModel2/blob/dev/src/IdentityModel/Client/JObjectExtensions.cs#L12

[leastprivilege]

Any comment? This makes the userinfo feature pretty much unusable...

[Tratcher]

Triage is tomorrow, we'll take a look.

[muratg]

@PinpointTownes thoughts?

Assigning to @troydai for further investigation.

[kevinchalet]

@muratg IMHO, it's clearly worth fixing this bug (it also impacted a bunch of ASOS/OpenIddict users and my recommendation was to use the identity token to flow "array" claims instead of using the userinfo endpoint, since Wilson fully supports that).

Note: @brockallen's approach is simple and fine, but it doesn't preserve the claim value type. It's not critical but it's something to remember before reusing his snippet as-is. You might want to take a look at how it's implemented in Wilson, instead: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/master/src/System.IdentityModel.Tokens.Jwt/JwtPayload.cs#L307

[troydai]

@brockallen do you know an existing authentication server and client application can return claims in this way? It is helpful for me to build a repo quickly. Otherwise, I'll try to build a similar example or mock an auth server.

[leastprivilege]

@PinpointTownes You cannot solely use the id_token to flow claims because spec:

5.4. Requesting Claims using Scope Values
The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.

[leastprivilege]

@troydai IdentityServer does

here's the host:
https://github.com/IdentityServer/IdentityServer4

and here's a client using hybrid flow and userinfo
https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Clients/src/MvcHybrid

[troydai]

@leastprivilege thanks.