It seems like many people are looking at this question, so I would like to share some additional information that I learned since I asked the question a while ago. This makes some things more understandable (at least for me) and has not been as obvious (for me, as a .NET newbie).
As Markus Heglund noted in the comments:
It should be the same for the "web api". In ASP.NET, Core Mvc and Web Api are combined to use one controller.
This is definitely true and absolutely correct.
Because it's all the same for .NET and .NET Core.
Back than I was new to .NET Core and actually the whole .NET world. An important missing piece of information was that in .NET and .NET Core all authentication can be truncated to the System.Security.Claims namespace with its ClaimsIdentity, ClaimsPrinciple and Claims.Properties. And therefore, it is used in both types of .NET Core controllers (API and MVC or Razor or ...) and is available through HttpContext.User .
Important Note: All tutorials are skipped.
Therefore, if you start to do something with JWT tokens in .NET, be sure to also make sure that ClaimsIdentity , ClaimsPrinciple and Claim.Properties are reliable . It is all about that. Now you know that. This was pointed out by Goeringer in one of the comments.
ALL claims-based authentication intermediaries (if implemented correctly) populate HttpContext.User claims received during authentication.
As far as I understand, now this means that you can safely trust the values โโin HttpContext.User . But wait a bit to understand what to consider when choosing middleware. Many different middleware authentication programs are already available (in addition to .UseJwtAuthentication() ).
With small custom extension methods, you can now get the current user ID (more precisely, subject approval)
public static string SubjectId(this ClaimsPrincipal user) { return user?.Claims?.FirstOrDefault(c => c.Type.Equals("sub", StringComparison.OrdinalIgnoreCase))?.Value; }
Or do you use the version in response to Ateik .
BUT WAITING : there is one strange thing
The next thing that confused me was that: according to the OpenID Connect specification, I was looking for a โsubโ application (current user), but could not find it. Like Honza Kalfus could not do in his answer.
What for?
Because Microsoft "sometimes" is "slightly" different. Or at least they do a bit more (and unexpected) things. For example, the official Microsoft JWT Bearer authentication middleware mentioned in the original question. Microsoft decided to convert the claims (claim names) into all of their official authentication middleware (for reasons of compatibility, I donโt know in more detail).
You will not find a โsubordinateโ application (although this is the only application specified by OpenID Connect). Because he turned into these trendy ClaimTypes . This is not all bad, it allows you to add mappings if you need to match different claims with a unique internal name.
Either you adhere to the Microsoft naming convention (and you should keep this in mind when you add / use non-Microsoft middleware), or you will learn how to change the assertion compliance for Microsoft middleware.
In the case of JwtBearerAuthentication, this is done (do it early in StartUp or at least before adding middleware):
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
If you want to stick with Microsoft's naming of subject matter claims (don't beat me, I'm not sure right now if the name is the correct match):
public static string SubjectId(this ClaimsPrincipal user) { return user?.Claims?.FirstOrDefault(c => c.Type.Equals(ClaimTypes.NameIdentifier, StringComparison.OrdinalIgnoreCase))?.Value; }
Note that other answers use the more advanced and more convenient FindFirst method. Although my code examples show this without them, you can go with them.
Thus, all your claims are stored and accessible (through one or another name) in HttpContext.User .
But where is my token?
I do not know for other middleware, but Authentication on JWT media allows you to save a token for each request. But it needs to be activated (in StartUp.ConfigureServices(... ).
services .AddAuthentication("Bearer") .AddJwtBearer("Bearer", options => options.SaveToken = true);
The actual token (in all its mysterious form) as a string (or zero) can be accessed through
HttpContext.GetTokenAsync("Bearer", "access_token")
There was an older version of this method (this works for me in .NET Core 2.2 without an outdated warning).
If you need to parse and extract values โโfrom this line, the question of how to decode the JWT token can help.
Well, I hope this resume helps you.