Should username claim be case insensitive?

Question

Should username claim be case insensitive?

vineetnair opened this issue 2 years ago · comments

Great work with this project guys! So useful :)

I noticed the username-based claim failed a couple of times for us due to case-sensitivity reasons. Should this check be done case-insensitively?

Konstantin Lepeshenkov · Answer 1 · Mon Feb 28 2022 21:57:59 GMT+0800 (China Standard Time)

Thanks for your feedback, @vineetnair .

Are you saying that the same username sometimes appears in e.g. lower case and sometimes in upper case in your tokens?

vineetnair · Answer 2 · Tue Mar 01 2022 15:40:53 GMT+0800 (China Standard Time)

No, the username claim via the token just retains the casing in which it was setup in AAD. But the configuration in DFM to only allow certain users seems to have a case-sensitive checking.

So, if the claim is John.Smith@contoso.com and the allowed username is john.smith@contoso.com, it doesn't allow access and throws a 401.

Konstantin Lepeshenkov · Answer 3 · Tue Mar 01 2022 21:25:58 GMT+0800 (China Standard Time)

Then I'd suggest to stay on the safe side and keep this validation case-sensitive. At least, so long as it doesn't block any particular scenario.

vineetnair · Answer 4 · Tue Mar 08 2022 04:36:39 GMT+0800 (China Standard Time)

That's fair, thanks