Don't include the OpenIddict private claims in the merged principal

openiddict · Feb 20, 2024 · dde49a8 · dde49a8
1 parent 45515d1
commit dde49a8
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -4061,6 +4061,12 @@ ClaimsPrincipal CreateMergedPrincipal(params ClaimsPrincipal?[] principals)
                             continue;
                         }
 
+                        // Ignore the OpenIddict private claims.
+                        if (claim.Type.StartsWith(Claims.Prefixes.Private, StringComparison.OrdinalIgnoreCase))
+                        {
+                            continue;
+                        }
+
                         identity.AddClaim(claim);
                     }
                 }