From 04e83476dce0a6a083fda8e6aa058eb1be4df158 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Tue, 9 Dec 2025 11:36:40 -0600
Subject: [PATCH] Fixed an issue where claims where duplicated

---
 .../src/AspNetIdentity/DefaultSessionClaimsFilter.cs |  4 ----
 .../DefaultSessionClaimsFilterTests.cs               | 12 +++++++++++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/identity-server/src/AspNetIdentity/DefaultSessionClaimsFilter.cs b/identity-server/src/AspNetIdentity/DefaultSessionClaimsFilter.cs
index 0845f2e23..b12e94afd 100644
--- a/identity-server/src/AspNetIdentity/DefaultSessionClaimsFilter.cs
+++ b/identity-server/src/AspNetIdentity/DefaultSessionClaimsFilter.cs
@@ -13,10 +13,6 @@ public class DefaultSessionClaimsFilter : ISessionClaimsFilter
     {
         var newClaimTypes = context.NewPrincipal.Claims.Select(x => x.Type).ToArray();
         var currentClaimsToKeep = context.CurrentPrincipal.Claims.Where(x => !newClaimTypes.Contains(x.Type)).ToArray();
-
-        var id = context.NewPrincipal.Identities.First();
-        id.AddClaims(currentClaimsToKeep);
-
         return Task.FromResult<IReadOnlyCollection<Claim>>(currentClaimsToKeep);
     }
 }
diff --git a/identity-server/test/IdentityServer.UnitTests/AspNetIdentity/DefaultSessionClaimsFilterTests.cs b/identity-server/test/IdentityServer.UnitTests/AspNetIdentity/DefaultSessionClaimsFilterTests.cs
index 1303be50b..a16149588 100644
--- a/identity-server/test/IdentityServer.UnitTests/AspNetIdentity/DefaultSessionClaimsFilterTests.cs
+++ b/identity-server/test/IdentityServer.UnitTests/AspNetIdentity/DefaultSessionClaimsFilterTests.cs
@@ -22,7 +22,8 @@ public class DefaultSessionClaimsFilterTests
             new Claim(ClaimTypes.Name, "bob")
         };
         var currentPrincipal = new ClaimsPrincipal(new ClaimsIdentity(claims));
-        var newPrincipal = new ClaimsPrincipal(new ClaimsIdentity([new Claim("custom", "value"), new Claim(ClaimTypes.Name, "bob")]));
+        Claim[] newClaims = [new Claim("custom", "value"), new Claim(ClaimTypes.Name, "bob")];
+        var newPrincipal = new ClaimsPrincipal(new ClaimsIdentity(newClaims));
         var filter = new DefaultSessionClaimsFilter();
         var context = new SecurityStampRefreshingPrincipalContext() { NewPrincipal = newPrincipal, CurrentPrincipal = currentPrincipal };
 
@@ -35,6 +36,9 @@ public class DefaultSessionClaimsFilterTests
         resultTypes.ShouldContain(JwtClaimTypes.AuthenticationTime);
         resultTypes.ShouldNotContain("custom");
         resultTypes.ShouldNotContain(ClaimTypes.Name);
+
+        currentPrincipal.Claims.Count().ShouldBe(claims.Length);
+        newPrincipal.Claims.Count().ShouldBe(newClaims.Length);
     }
 
     [Fact]
@@ -60,6 +64,8 @@ public class DefaultSessionClaimsFilterTests
             JwtClaimTypes.AuthenticationTime
         ];
         result.ShouldAllBe(c => expectClaimTypes.Contains(c.Type));
+        currentPrincipal.Claims.Count().ShouldBe(claims.Length);
+        newPrincipal.Claims.Count().ShouldBe(0);
     }
 
     [Fact]
@@ -78,6 +84,8 @@ public class DefaultSessionClaimsFilterTests
         var result = await filter.FilterToSessionClaimsAsync(context);
 
         result.ShouldBeEmpty();
+        currentPrincipal.Claims.Count().ShouldBe(claims.Length);
+        newPrincipal.Claims.Count().ShouldBe(claims.Length);
     }
 
     [Fact]
@@ -91,5 +99,7 @@ public class DefaultSessionClaimsFilterTests
         var result = await filter.FilterToSessionClaimsAsync(context);
 
         result.ShouldBeEmpty();
+        currentPrincipal.Claims.Count().ShouldBe(0);
+        newPrincipal.Claims.Count().ShouldBe(0);
     }
 }