Use ClaimTypes.Name and ClaimTypes.Role by default for the principal created after an introspection request

2 years ago · ffaa466cba
1 changed files with 12 additions and 4 deletions
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.Introspection.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.Introspection.cs
@ -400,10 +400,18 @@ public static partial class OpenIddictClientHandlers

                // Create a new claims-based identity using the same authentication type
                // and the name/role claims as the one used by IdentityModel for JWT tokens.
-                var identity = new ClaimsIdentity(
-                    context.Registration.TokenValidationParameters.AuthenticationType,
-                    context.Registration.TokenValidationParameters.NameClaimType,
-                    context.Registration.TokenValidationParameters.RoleClaimType);
+                //
+                // Note: if WS-Federation claim mapping was not disabled, the resulting identity
+                // will use the default WS-Federation claims as the name/role claim types.
+                var identity = context.Options.DisableWebServicesFederationClaimMapping ?
+                    new ClaimsIdentity(
+                        context.Registration.TokenValidationParameters.AuthenticationType,
+                        context.Registration.TokenValidationParameters.NameClaimType,
+                        context.Registration.TokenValidationParameters.RoleClaimType) :
+                    new ClaimsIdentity(
+                        context.Registration.TokenValidationParameters.AuthenticationType,
+                        nameType: ClaimTypes.Name,
+                        roleType: ClaimTypes.Role);

                foreach (var parameter in context.Response.GetParameters())
                {