I am told that anyone working with ASP.NET Core and JWT hits this wall at least once.

I've hit it a couple of times. The first time I worked around it. This time I decided to see if there was a way to fix it.

What is this it? It's the fact the Microsoft butch^H^H^H, ahem, standardizes your Json Web Token claims for you.

To what end? Well, if you've worked with an identity solution like Authentik or Keycloak, you know that certain claims are standard, and are available to you when you read one of their tokens- this includes things like user name, user id and email. The problem shows up when you are working in .NET Core and all of a sudden your trusty claims are not present or are returning null.

It was an effing mystery- sub was missing, email was missing. But I could dump my tokens and SEE the claims right there with my own two eyes, yet as soon as the tokens hit an endpoint, sub was gone, email was gone. WTF?

Yes, WTF indeed. After much consternation, I eventually came across the cause, the solution, and the rationale.

Basically, Microsoft normalizes token claims in such a way that they are easier to integrate into legacy authentication flows like WS-Federation and SAML. So "sub" becomes nameidentifier, email becomes emailaddress, etc.

It's an absolute shitshow if you don't know they're doing it. And I sure as hell didn't know, lol.

So how do you fix it?

During your application startup, make one of these calls, depending on your framework version:

.NET 8.0+: JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();

.NET 7 or earlier: JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

These functions tell Microsoft to get their grubby little hands off of your tokens and to stop messing with them.

I don't even want to tell you how much time I actually wasted on this feature, but if you don't know what's happening at the time, it leads one down a lot of completely unrelated debugging paths. So hopefully I saved you some time.

Am I the only one who thinks something like this should be opt-in rather than opt-out?

Oh well, take care and happy coding.

TL; DR; If "sub" or "email" is missing from your JWT claims in .NET Core, use one of the commands above to fix it.

Source: the venerable Stack Overflow