From 2004883e02640bdcd3fd87b6b69b6415a9402427 Mon Sep 17 00:00:00 2001
From: Claude <claude@kuns.dev>
Date: Thu, 16 Apr 2026 07:13:17 +0000
Subject: [PATCH] fix: disable JWT inbound claim mapping for Zitadel sub claim

.NET remaps "sub" to a long URI claim type by default, causing
User.FindFirst("sub") to return null. MapInboundClaims=false
preserves the original claim names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/Program.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/Program.cs b/backend/Program.cs
index 0cf79c2..6c7bb27 100644
--- a/backend/Program.cs
+++ b/backend/Program.cs
@@ -20,6 +20,7 @@ builder.Services.AddAuthentication("Bearer")
     {
         options.Authority = builder.Configuration["Zitadel:Issuer"] ?? "https://auth.kuns.dev";
         options.Audience = builder.Configuration["Zitadel:ClientId"] ?? "";
+        options.MapInboundClaims = false; // Prevent .NET from remapping "sub" to long URI
         options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
         {
             ValidateIssuer = true,