Identityserver4: "InvalidOperationException: sub claim is missing" on Facebook

Created on 3 May 2018 · 7Comments · Source: IdentityServer/IdentityServer4

I can't get the Facebook Social login working.... Google works fine....

I get the error on callback: InvalidOperationException: sub claim is missing
Full Stacktrace:
```IdentityServer4.Hosting.IdentityServerAuthenticationService.AssertRequiredClaims(ClaimsPrincipal principal) in IdentityServerAuthenticationService.cs
IdentityServer4.Hosting.IdentityServerAuthenticationService.AugmentPrincipal(ClaimsPrincipal principal) in IdentityServerAuthenticationService.cs
IdentityServer4.Hosting.IdentityServerAuthenticationService+d__7.MoveNext() in IdentityServerAuthenticationService.cs
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+d__6.MoveNext() in AuthenticationRequestHandlerWrapper.cs
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
System.Runtime.CompilerServices.TaskAwaiter.GetResult()
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+d__6.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware+d__7.MoveNext()
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
IdentityServer4.Hosting.BaseUrlMiddleware+d__3.MoveNext() in BaseUrlMiddleware.cs
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware+d__7.MoveNext()

Her is my setup of the Expernal sovial providers:

```            services.AddIdentityServer()
                .AddDeveloperSigningCredential()
                .AddConfigurationStore(options =>
                {
                    options.ConfigureDbContext = builder =>
                        builder.UseSqlServer(config.AuthConnectionString,
                            sql => sql.MigrationsAssembly(migrationsAssembly));
                })
                // this adds the operational data from DB (codes, tokens, consents)
                .AddOperationalStore(options =>
                {
                    options.ConfigureDbContext = builder =>
                        builder.UseSqlServer(config.AuthConnectionString,
                            sql => sql.MigrationsAssembly(migrationsAssembly));

                    // this enables automatic token cleanup. this is optional.
                    options.EnableTokenCleanup = true;
                    options.TokenCleanupInterval = 360;
                })
                .AddCustomUserStore();
             services.AddAuthentication()
                    .AddGoogle("Google", options =>
                    {
                        options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                        options.ClientId = "myid.apps.googleusercontent.com";
                        options.ClientSecret = "myappsecret";
                    })
                    .AddFacebook("Facebook", options =>
                     {
                         options.AppId = "myfbappid";
                         options.AppSecret = "myfbsecret";
                         options.SignInScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
                     });

Noting to find on Google that helped really....

question

Source

tknuts

👍1

Most helpful comment

When you issue the claims at login from facebook you need to provide a sub claim. That's the error. And given that you've configure facebook to go from FB claims directly to your cookie claims with this line:

options.SignInScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;

then the logic in the quickstart UI has no way to map a FB user to your user DB.

brockallen on 3 May 2018

😄1 👍1

All 7 comments

options.SignInScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;

then the logic in the quickstart UI has no way to map a FB user to your user DB.

brockallen on 3 May 2018

😄1 👍1

But how is the "sub" claim provided ?

tknuts on 3 May 2018

Your user mapping logic would need to establish that. You can have a look at how our quickstart sample code does it, but ultimately you will need to decide for yourself.

brockallen on 3 May 2018

Could you please give me a link to that sample. I can't see what's missing and the error occours before any code I have control of launches :-(

tknuts on 3 May 2018

https://github.com/IdentityServer/IdentityServer4.Quickstart.UI

brockallen on 4 May 2018

Thanks, IdentityServerConstants.ExternalCookieAuthenticationScheme solved the problem. I totally missed it, the Google was set up to use this and it worked.

tknuts on 4 May 2018

👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.