Incorrect User.Identity comes to remote API from BFF

[Maxmyd]

Hi.
I'm running the projects built from your .NET templates and Skoruba IdentityServer host.

Here is the code from BFF backend

builder.Services
    .AddAuthentication(options =>
    {
        options.DefaultScheme = "cookie";
        options.DefaultChallengeScheme = "oidc";
        options.DefaultSignOutScheme = "oidc";
    })
    .AddCookie("cookie", options =>
    {
        options.Cookie.Name = "__Host-bff";
        options.Cookie.SameSite = SameSiteMode.Strict;
    })
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = config.Authority;
        options.ClientId = config.ClientId;
        options.ClientSecret = config.ClientSecret;

        options.ResponseType = "code";
        options.ResponseMode = "query";

        options.GetClaimsFromUserInfoEndpoint = true;
        options.MapInboundClaims = false;
        options.SaveTokens = true;

        options.Scope.Clear();
        foreach (var scope in config.Scopes)
        {
            options.Scope.Add(scope);
        }

        options.TokenValidationParameters = new()
        {
            NameClaimType = "name",
            RoleClaimType = "role"
        };
    });

.......

app.UseHttpsRedirection();
app.UseAuthentication();
app.UseBff();
app.UseAuthorization();
app.MapBffManagementEndpoints();

if (config.Apis.Any())
{
    foreach (var api in config.Apis)
    {
        app.MapRemoteBffApiEndpoint(api.LocalPath, api.RemoteUrl!)
        .RequireAccessToken(Duende.Bff.TokenType.User);
    }
}

And here is the remote API

builder.Services.AddAuthentication("token")
    .AddJwtBearer("token", options =>
    {
        options.Authority = "https://localhost:44310";
        //options.Audience = "https://localhost:44310/resources";
        options.TokenValidationParameters.ValidateAudience = false;

        options.MapInboundClaims = false;
    });

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("ApiCaller", policy =>
    {
        policy.RequireClaim("scope", "api");
    });

    options.AddPolicy("InteractiveUser", policy =>
    {
        policy.RequireClaim("sub");
    });
});

Looks pretty like from you samples, but when it comes to resolving user in the API method through HttpContext.User, I always receive the client claims but not user claims.
At the same time, when I run your Angular sample, I can see correct user Alice.
Can you please tell me what I'm doing wrong.
Thanks

P.S. Tried to use demo.duendesoftware.com for authentication, it returns correct claims. Looks like it is not about the BFF service but about IdentityServer settings. Anyway, your help is appreciated a lot.

[wcabus]

P.S. Tried to use demo.duendesoftware.com for authentication, it returns correct claims. Looks like it is not about the BFF service but about IdentityServer settings.

Could you compare your project's setup (AddIdentityServer etc., client configuration, API scopes, ...) with the one from demo.duendesoftware.com? You can find the repository for our demo site here: https://github.com/DuendeSoftware/demo.duendesoftware.com

[Maxmyd]

Thank you, I made some tuning on the Identity Server side, and it works.