From 049c4fd246330f8b7aefeb6e162355b66e9470a0 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 23 Mar 2022 19:25:09 -0700
Subject: [PATCH 01/13] Adding generation of accessors for claims independently
 of AAD token version of the token See #1800

---
 .../ClaimTypeAccessor.gen.cs                  | 3155 +++++++++++++++++
 .../ClaimTypeAccessor.tt                      |  216 ++
 .../ClaimTypeMapping.cs                       |  152 +-
 .../ClaimTypeMapping.tt                       |  115 +
 .../ClaimsKnowledge.tti                       |  141 +
 .../ClaimsTypeAccessor.cs                     |  163 +
 .../System.IdentityModel.Tokens.Jwt.csproj    |   31 +
 7 files changed, 3899 insertions(+), 74 deletions(-)
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
new file mode 100644
index 0000000000..3a32b21f8a
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
@@ -0,0 +1,3155 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeAccessor.tt USING T4
+// DON'T UPDATE MANUALLY
+
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace System.IdentityModel.Tokens.Jwt
+{
+    /// <summary>
+    /// Defines extension methods to access claims by purpose, and not by name, making it compatible
+    /// with several versions of tokens.
+    /// </summary>
+    public static partial class ClaimPrincipalExtensions
+    {
+            /// <summary>
+            /// Returns the first claim corresponding to Actor claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Actort</description></item>
+            /// <item><description>ClaimTypes.Actor</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Actor.</param>
+            public static string GetActor(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Actort,
+                     ClaimTypes.Actor);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Actor claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Actort</description></item>
+            /// <item><description>ClaimTypes.Actor</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Actor.</param>
+            public static string GetActor(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Actort,
+                     ClaimTypes.Actor);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to IsGuest claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"acct"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsGuest.</param>
+            public static string GetIsGuest(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "acct");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to IsGuest claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"acct"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsGuest.</param>
+            public static string GetIsGuest(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "acct");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to LastAuthenticatedTime claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"auth_time"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the LastAuthenticatedTime.</param>
+            public static string GetLastAuthenticatedTime(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "auth_time");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to LastAuthenticatedTime claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"auth_time"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the LastAuthenticatedTime.</param>
+            public static string GetLastAuthenticatedTime(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "auth_time");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Birthdate claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Birthdate</description></item>
+            /// <item><description>ClaimTypes.DateOfBirth</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Birthdate.</param>
+            public static string GetBirthdate(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Birthdate,
+                     ClaimTypes.DateOfBirth);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Birthdate claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Birthdate</description></item>
+            /// <item><description>ClaimTypes.DateOfBirth</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Birthdate.</param>
+            public static string GetBirthdate(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Birthdate,
+                     ClaimTypes.DateOfBirth);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Country claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"ctry"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Country.</param>
+            public static string GetCountry(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "ctry");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Country claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"ctry"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Country.</param>
+            public static string GetCountry(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "ctry");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Email claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Email</description></item>
+            /// <item><description>ClaimTypes.Email</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Email.</param>
+            public static string GetEmail(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Email,
+                     ClaimTypes.Email);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Email claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Email</description></item>
+            /// <item><description>ClaimTypes.Email</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Email.</param>
+            public static string GetEmail(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Email,
+                     ClaimTypes.Email);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to FamilyName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.FamilyName</description></item>
+            /// <item><description>ClaimTypes.Surname</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the FamilyName.</param>
+            public static string GetFamilyName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.FamilyName,
+                     ClaimTypes.Surname);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to FamilyName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.FamilyName</description></item>
+            /// <item><description>ClaimTypes.Surname</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the FamilyName.</param>
+            public static string GetFamilyName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.FamilyName,
+                     ClaimTypes.Surname);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Gender claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Gender</description></item>
+            /// <item><description>ClaimTypes.Gender</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Gender.</param>
+            public static string GetGender(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Gender,
+                     ClaimTypes.Gender);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Gender claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Gender</description></item>
+            /// <item><description>ClaimTypes.Gender</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Gender.</param>
+            public static string GetGender(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Gender,
+                     ClaimTypes.Gender);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to GivenName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.GivenName</description></item>
+            /// <item><description>ClaimTypes.GivenName</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the GivenName.</param>
+            public static string GetGivenName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.GivenName,
+                     ClaimTypes.GivenName);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to GivenName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.GivenName</description></item>
+            /// <item><description>ClaimTypes.GivenName</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the GivenName.</param>
+            public static string GetGivenName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.GivenName,
+                     ClaimTypes.GivenName);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Nameid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.NameId</description></item>
+            /// <item><description>ClaimTypes.NameIdentifier</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Nameid.</param>
+            public static string GetNameid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.NameId,
+                     ClaimTypes.NameIdentifier);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Nameid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.NameId</description></item>
+            /// <item><description>ClaimTypes.NameIdentifier</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Nameid.</param>
+            public static string GetNameid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.NameId,
+                     ClaimTypes.NameIdentifier);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Sub claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Sub</description></item>
+            /// <item><description>ClaimTypes.NameIdentifier</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Sub.</param>
+            public static string GetSub(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Sub,
+                     ClaimTypes.NameIdentifier);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Sub claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Sub</description></item>
+            /// <item><description>ClaimTypes.NameIdentifier</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Sub.</param>
+            public static string GetSub(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Sub,
+                     ClaimTypes.NameIdentifier);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Website claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Website</description></item>
+            /// <item><description>ClaimTypes.Webpage</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Website.</param>
+            public static string GetWebsite(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.Website,
+                     ClaimTypes.Webpage);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Website claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.Website</description></item>
+            /// <item><description>ClaimTypes.Webpage</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Website.</param>
+            public static string GetWebsite(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.Website,
+                     ClaimTypes.Webpage);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to UniqueName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.UniqueName</description></item>
+            /// <item><description>ClaimTypes.Name</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the UniqueName.</param>
+            public static string GetUniqueName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     JwtRegisteredClaimNames.UniqueName,
+                     ClaimTypes.Name);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to UniqueName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>JwtRegisteredClaimNames.UniqueName</description></item>
+            /// <item><description>ClaimTypes.Name</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the UniqueName.</param>
+            public static string GetUniqueName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     JwtRegisteredClaimNames.UniqueName,
+                     ClaimTypes.Name);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ObjectId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"oid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/objectidentifier"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ObjectId.</param>
+            public static string GetObjectId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "oid",
+                     "http://schemas.microsoft.com/identity/claims/objectidentifier");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ObjectId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"oid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/objectidentifier"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ObjectId.</param>
+            public static string GetObjectId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "oid",
+                     "http://schemas.microsoft.com/identity/claims/objectidentifier");
+            }
+            /// <summary>
+            /// Returns all the claims corresponding to Scopes on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"scp"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/scope"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims principal from which to get the Scopes.</param>
+            public static IEnumerable<string> GetScopes(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetAllClaimValues(
+                     "scp",
+                     "http://schemas.microsoft.com/identity/claims/scope");
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to Scopes on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"scp"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/scope"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Scopes.</param>
+            public static IEnumerable<string> GetScopes(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetAllClaimValues(
+                     "scp",
+                     "http://schemas.microsoft.com/identity/claims/scope");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to TenantId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"tid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/tenantid"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// The privacy classification of the information returned is OII.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the TenantId.</param>
+            public static string GetTenantId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "tid",
+                     "http://schemas.microsoft.com/identity/claims/tenantid");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to TenantId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"tid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/tenantid"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// The privacy classification of the information returned is OII.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the TenantId.</param>
+            public static string GetTenantId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "tid",
+                     "http://schemas.microsoft.com/identity/claims/tenantid");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Acr claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"acr"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Acr.</param>
+            public static string GetAcr(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "acr",
+                     "http://schemas.microsoft.com/claims/authnclassreference");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Acr claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"acr"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Acr.</param>
+            public static string GetAcr(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "acr",
+                     "http://schemas.microsoft.com/claims/authnclassreference");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Adfs1Email claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"adfs1email"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/EmailAddress"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Adfs1Email.</param>
+            public static string GetAdfs1Email(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "adfs1email",
+                     "http://schemas.xmlsoap.org/claims/EmailAddress");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Adfs1Email claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"adfs1email"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/EmailAddress"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Adfs1Email.</param>
+            public static string GetAdfs1Email(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "adfs1email",
+                     "http://schemas.xmlsoap.org/claims/EmailAddress");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Adfs1Upn claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"adfs1upn"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/UPN"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Adfs1Upn.</param>
+            public static string GetAdfs1Upn(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "adfs1upn",
+                     "http://schemas.xmlsoap.org/claims/UPN");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Adfs1Upn claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"adfs1upn"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/UPN"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Adfs1Upn.</param>
+            public static string GetAdfs1Upn(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "adfs1upn",
+                     "http://schemas.xmlsoap.org/claims/UPN");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Amr claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"amr"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/claims/authnmethodsreferences"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Amr.</param>
+            public static string GetAmr(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "amr",
+                     "http://schemas.microsoft.com/claims/authnmethodsreferences");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Amr claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"amr"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/claims/authnmethodsreferences"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Amr.</param>
+            public static string GetAmr(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "amr",
+                     "http://schemas.microsoft.com/claims/authnmethodsreferences");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to AuthMethod claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"authmethod"</description></item>
+            /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the AuthMethod.</param>
+            public static string GetAuthMethod(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "authmethod",
+                     ClaimTypes.AuthenticationMethod);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to AuthMethod claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"authmethod"</description></item>
+            /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the AuthMethod.</param>
+            public static string GetAuthMethod(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "authmethod",
+                     ClaimTypes.AuthenticationMethod);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertAppPolicy claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certapppolicy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertAppPolicy.</param>
+            public static string GetCertAppPolicy(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certapppolicy",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertAppPolicy claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certapppolicy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertAppPolicy.</param>
+            public static string GetCertAppPolicy(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certapppolicy",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertAuthorityKeyIdentifier claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certauthoritykeyidentifier"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertAuthorityKeyIdentifier.</param>
+            public static string GetCertAuthorityKeyIdentifier(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certauthoritykeyidentifier",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertAuthorityKeyIdentifier claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certauthoritykeyidentifier"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertAuthorityKeyIdentifier.</param>
+            public static string GetCertAuthorityKeyIdentifier(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certauthoritykeyidentifier",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertBasicVonstraints claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certbasicconstraints"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertBasicVonstraints.</param>
+            public static string GetCertBasicVonstraints(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certbasicconstraints",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertBasicVonstraints claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certbasicconstraints"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertBasicVonstraints.</param>
+            public static string GetCertBasicVonstraints(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certbasicconstraints",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertEku claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certeku"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertEku.</param>
+            public static string GetCertEku(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certeku",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertEku claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certeku"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertEku.</param>
+            public static string GetCertEku(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certeku",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertIssuer claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certissuer"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertIssuer.</param>
+            public static string GetCertIssuer(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certissuer",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertIssuer claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certissuer"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertIssuer.</param>
+            public static string GetCertIssuer(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certissuer",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertIssuerName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certissuername"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertIssuerName.</param>
+            public static string GetCertIssuerName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certissuername",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertIssuerName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certissuername"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertIssuerName.</param>
+            public static string GetCertIssuerName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certissuername",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertKeyUsage claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certkeyusage"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertKeyUsage.</param>
+            public static string GetCertKeyUsage(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certkeyusage",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertKeyUsage claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certkeyusage"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertKeyUsage.</param>
+            public static string GetCertKeyUsage(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certkeyusage",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertNotAfter claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certnotafter"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertNotAfter.</param>
+            public static string GetCertNotAfter(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certnotafter",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertNotAfter claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certnotafter"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertNotAfter.</param>
+            public static string GetCertNotAfter(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certnotafter",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertNotBefore claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certnotbefore"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertNotBefore.</param>
+            public static string GetCertNotBefore(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certnotbefore",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertNotBefore claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certnotbefore"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertNotBefore.</param>
+            public static string GetCertNotBefore(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certnotbefore",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertPolicy claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certpolicy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertPolicy.</param>
+            public static string GetCertPolicy(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certpolicy",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertPolicy claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certpolicy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertPolicy.</param>
+            public static string GetCertPolicy(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certpolicy",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertPublickey claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certpublickey"</description></item>
+            /// <item><description>ClaimTypes.Rsa</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertPublickey.</param>
+            public static string GetCertPublickey(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certpublickey",
+                     ClaimTypes.Rsa);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertPublickey claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certpublickey"</description></item>
+            /// <item><description>ClaimTypes.Rsa</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertPublickey.</param>
+            public static string GetCertPublickey(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certpublickey",
+                     ClaimTypes.Rsa);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertRawData claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certrawdata"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertRawData.</param>
+            public static string GetCertRawData(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certrawdata",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertRawData claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certrawdata"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertRawData.</param>
+            public static string GetCertRawData(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certrawdata",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSerialNumber claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certserialnumber"</description></item>
+            /// <item><description>ClaimTypes.SerialNumber</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSerialNumber.</param>
+            public static string GetCertSerialNumber(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certserialnumber",
+                     ClaimTypes.SerialNumber);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSerialNumber claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certserialnumber"</description></item>
+            /// <item><description>ClaimTypes.SerialNumber</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSerialNumber.</param>
+            public static string GetCertSerialNumber(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certserialnumber",
+                     ClaimTypes.SerialNumber);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSignatureAlgorithm claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certsignaturealgorithm"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSignatureAlgorithm.</param>
+            public static string GetCertSignatureAlgorithm(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certsignaturealgorithm",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSignatureAlgorithm claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certsignaturealgorithm"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSignatureAlgorithm.</param>
+            public static string GetCertSignatureAlgorithm(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certsignaturealgorithm",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubject claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certsubject"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubject.</param>
+            public static string GetCertSubject(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certsubject",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubject claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certsubject"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubject.</param>
+            public static string GetCertSubject(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certsubject",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectAltName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certsubjectaltname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectAltName.</param>
+            public static string GetCertSubjectAltName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certsubjectaltname",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectAltName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certsubjectaltname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectAltName.</param>
+            public static string GetCertSubjectAltName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certsubjectaltname",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectKeyIdentifier claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certsubjectkeyidentifier"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectKeyIdentifier.</param>
+            public static string GetCertSubjectKeyIdentifier(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certsubjectkeyidentifier",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectKeyIdentifier claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certsubjectkeyidentifier"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectKeyIdentifier.</param>
+            public static string GetCertSubjectKeyIdentifier(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certsubjectkeyidentifier",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certsubjectname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectName.</param>
+            public static string GetCertSubjectName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certsubjectname",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertSubjectName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certsubjectname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectName.</param>
+            public static string GetCertSubjectName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certsubjectname",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertTemplateInformation claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certtemplateinformation"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertTemplateInformation.</param>
+            public static string GetCertTemplateInformation(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certtemplateinformation",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertTemplateInformation claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certtemplateinformation"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertTemplateInformation.</param>
+            public static string GetCertTemplateInformation(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certtemplateinformation",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertTemplateName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certtemplatename"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertTemplateName.</param>
+            public static string GetCertTemplateName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certtemplatename",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertTemplateName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certtemplatename"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertTemplateName.</param>
+            public static string GetCertTemplateName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certtemplatename",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertThumbprint claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certthumbprint"</description></item>
+            /// <item><description>ClaimTypes.Thumbprint</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertThumbprint.</param>
+            public static string GetCertThumbprint(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certthumbprint",
+                     ClaimTypes.Thumbprint);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertThumbprint claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certthumbprint"</description></item>
+            /// <item><description>ClaimTypes.Thumbprint</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertThumbprint.</param>
+            public static string GetCertThumbprint(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certthumbprint",
+                     ClaimTypes.Thumbprint);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CertX509Version claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"certx509version"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertX509Version.</param>
+            public static string GetCertX509Version(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "certx509version",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CertX509Version claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"certx509version"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertX509Version.</param>
+            public static string GetCertX509Version(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "certx509version",
+                     "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ClientApplication claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"clientapplication"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ClientApplication.</param>
+            public static string GetClientApplication(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "clientapplication",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ClientApplication claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"clientapplication"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ClientApplication.</param>
+            public static string GetClientApplication(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "clientapplication",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ClientIp claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"clientip"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ClientIp.</param>
+            public static string GetClientIp(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "clientip",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ClientIp claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"clientip"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ClientIp.</param>
+            public static string GetClientIp(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "clientip",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ClientUserAgent claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"clientuseragent"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ClientUserAgent.</param>
+            public static string GetClientUserAgent(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "clientuseragent",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ClientUserAgent claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"clientuseragent"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ClientUserAgent.</param>
+            public static string GetClientUserAgent(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "clientuseragent",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to CommonName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"commonname"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/CommonName"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CommonName.</param>
+            public static string GetCommonName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "commonname",
+                     "http://schemas.xmlsoap.org/claims/CommonName");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to CommonName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"commonname"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/CommonName"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CommonName.</param>
+            public static string GetCommonName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "commonname",
+                     "http://schemas.xmlsoap.org/claims/CommonName");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlyPrimaryGroupSid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"denyonlyprimarygroupsid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlyPrimaryGroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlyPrimaryGroupSid.</param>
+            public static string GetDenyOnlyPrimaryGroupSid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "denyonlyprimarygroupsid",
+                     ClaimTypes.DenyOnlyPrimaryGroupSid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlyPrimaryGroupSid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"denyonlyprimarygroupsid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlyPrimaryGroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlyPrimaryGroupSid.</param>
+            public static string GetDenyOnlyPrimaryGroupSid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "denyonlyprimarygroupsid",
+                     ClaimTypes.DenyOnlyPrimaryGroupSid);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlyPrimarySid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"denyonlyprimarysid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlyPrimarySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlyPrimarySid.</param>
+            public static string GetDenyOnlyPrimarySid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "denyonlyprimarysid",
+                     ClaimTypes.DenyOnlyPrimarySid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlyPrimarySid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"denyonlyprimarysid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlyPrimarySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlyPrimarySid.</param>
+            public static string GetDenyOnlyPrimarySid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "denyonlyprimarysid",
+                     ClaimTypes.DenyOnlyPrimarySid);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlySid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"denyonlysid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlySid.</param>
+            public static string GetDenyOnlySid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "denyonlysid",
+                     ClaimTypes.DenyOnlySid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DenyOnlySid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"denyonlysid"</description></item>
+            /// <item><description>ClaimTypes.DenyOnlySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlySid.</param>
+            public static string GetDenyOnlySid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "denyonlysid",
+                     ClaimTypes.DenyOnlySid);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DevicedIspName claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"devicedispname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DevicedIspName.</param>
+            public static string GetDevicedIspName(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "devicedispname",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DevicedIspName claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"devicedispname"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DevicedIspName.</param>
+            public static string GetDevicedIspName(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "devicedispname",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceId.</param>
+            public static string GetDeviceId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceid",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceId.</param>
+            public static string GetDeviceId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceid",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceIsManaged claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceismanaged"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceIsManaged.</param>
+            public static string GetDeviceIsManaged(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceismanaged",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceIsManaged claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceismanaged"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceIsManaged.</param>
+            public static string GetDeviceIsManaged(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceismanaged",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOsType claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceostype"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOsType.</param>
+            public static string GetDeviceOsType(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceostype",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOsType claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceostype"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOsType.</param>
+            public static string GetDeviceOsType(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceostype",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOsVer claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceosver"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOsVer.</param>
+            public static string GetDeviceOsVer(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceosver",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOsVer claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceosver"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOsVer.</param>
+            public static string GetDeviceOsVer(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceosver",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOwner claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceowner"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOwner.</param>
+            public static string GetDeviceOwner(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceowner",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceOwner claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceowner"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOwner.</param>
+            public static string GetDeviceOwner(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceowner",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceRegId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"deviceregid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceRegId.</param>
+            public static string GetDeviceRegId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "deviceregid",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to DeviceRegId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"deviceregid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceRegId.</param>
+            public static string GetDeviceRegId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "deviceregid",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to EndpointPath claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"endpointpath"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the EndpointPath.</param>
+            public static string GetEndpointPath(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "endpointpath",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to EndpointPath claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"endpointpath"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the EndpointPath.</param>
+            public static string GetEndpointPath(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "endpointpath",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ForwardedClientIp claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"forwardedclientip"</description></item>
+            /// <item><description>"fwt"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ForwardedClientIp.</param>
+            public static string GetForwardedClientIp(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "forwardedclientip",
+                     "fwt",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ForwardedClientIp claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"forwardedclientip"</description></item>
+            /// <item><description>"fwt"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ForwardedClientIp.</param>
+            public static string GetForwardedClientIp(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "forwardedclientip",
+                     "fwt",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip");
+            }
+            /// <summary>
+            /// Returns all the claims corresponding to Group on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"group"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/Group"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims principal from which to get the Group.</param>
+            public static IEnumerable<string> GetGroup(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetAllClaimValues(
+                     "group",
+                     "http://schemas.xmlsoap.org/claims/Group");
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to Group on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"group"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/claims/Group"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Group.</param>
+            public static IEnumerable<string> GetGroup(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetAllClaimValues(
+                     "group",
+                     "http://schemas.xmlsoap.org/claims/Group");
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to GroupsId on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"groupsid"</description></item>
+            /// <item><description>ClaimTypes.GroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims principal from which to get the GroupsId.</param>
+            public static IEnumerable<string> GetGroupsId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetAllClaimValues(
+                     "groupsid",
+                     ClaimTypes.GroupSid);
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to GroupsId on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"groupsid"</description></item>
+            /// <item><description>ClaimTypes.GroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the GroupsId.</param>
+            public static IEnumerable<string> GetGroupsId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetAllClaimValues(
+                     "groupsid",
+                     ClaimTypes.GroupSid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to IdTyp claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"idtyp"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IdTyp.</param>
+            public static string GetIdTyp(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "idtyp");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to IdTyp claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"idtyp"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IdTyp.</param>
+            public static string GetIdTyp(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "idtyp");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Idp claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"idp"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Idp.</param>
+            public static string GetIdp(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "idp",
+                     "http://schemas.microsoft.com/identity/claims/identityprovider");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Idp claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"idp"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Idp.</param>
+            public static string GetIdp(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "idp",
+                     "http://schemas.microsoft.com/identity/claims/identityprovider");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to InsideCorporateNetwork claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"insidecorporatenetwork"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the InsideCorporateNetwork.</param>
+            public static string GetInsideCorporateNetwork(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "insidecorporatenetwork",
+                     "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to InsideCorporateNetwork claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"insidecorporatenetwork"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the InsideCorporateNetwork.</param>
+            public static string GetInsideCorporateNetwork(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "insidecorporatenetwork",
+                     "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to IsRegisteredUser claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"isregistereduser"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsRegisteredUser.</param>
+            public static string GetIsRegisteredUser(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "isregistereduser",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to IsRegisteredUser claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"isregistereduser"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsRegisteredUser.</param>
+            public static string GetIsRegisteredUser(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "isregistereduser",
+                     "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to LoginHint claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"login_hint"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the LoginHint.</param>
+            public static string GetLoginHint(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "login_hint");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to LoginHint claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"login_hint"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the LoginHint.</param>
+            public static string GetLoginHint(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "login_hint");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Ppid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"ppid"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Ppid.</param>
+            public static string GetPpid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "ppid",
+                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Ppid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"ppid"</description></item>
+            /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Ppid.</param>
+            public static string GetPpid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "ppid",
+                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Primarygroupsid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"primarygroupsid"</description></item>
+            /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Primarygroupsid.</param>
+            public static string GetPrimarygroupsid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "primarygroupsid",
+                     ClaimTypes.PrimaryGroupSid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Primarygroupsid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"primarygroupsid"</description></item>
+            /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Primarygroupsid.</param>
+            public static string GetPrimarygroupsid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "primarygroupsid",
+                     ClaimTypes.PrimaryGroupSid);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Primarysid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"primarysid"</description></item>
+            /// <item><description>ClaimTypes.PrimarySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Primarysid.</param>
+            public static string GetPrimarysid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "primarysid",
+                     ClaimTypes.PrimarySid);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Primarysid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"primarysid"</description></item>
+            /// <item><description>ClaimTypes.PrimarySid</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Primarysid.</param>
+            public static string GetPrimarysid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "primarysid",
+                     ClaimTypes.PrimarySid);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Proxy claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"proxy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Proxy.</param>
+            public static string GetProxy(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "proxy",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Proxy claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"proxy"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Proxy.</param>
+            public static string GetProxy(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "proxy",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to PwdChgEndpoint claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"pwdchgurl"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdChgEndpoint.</param>
+            public static string GetPwdChgEndpoint(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "pwdchgurl",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to PwdChgEndpoint claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"pwdchgurl"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdChgEndpoint.</param>
+            public static string GetPwdChgEndpoint(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "pwdchgurl",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to PwdExpDays claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"pwdexpdays"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdExpDays.</param>
+            public static string GetPwdExpDays(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "pwdexpdays",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to PwdExpDays claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"pwdexpdays"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdExpDays.</param>
+            public static string GetPwdExpDays(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "pwdexpdays",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to PwdExpTime claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"pwdexptime"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdExpTime.</param>
+            public static string GetPwdExpTime(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "pwdexptime",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to PwdExpTime claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"pwdexptime"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdExpTime.</param>
+            public static string GetPwdExpTime(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "pwdexptime",
+                     "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to RelyingPartyTrustId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"relyingpartytrustid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the RelyingPartyTrustId.</param>
+            public static string GetRelyingPartyTrustId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "relyingpartytrustid",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to RelyingPartyTrustId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"relyingpartytrustid"</description></item>
+            /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the RelyingPartyTrustId.</param>
+            public static string GetRelyingPartyTrustId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "relyingpartytrustid",
+                     "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid");
+            }
+            /// <summary>
+            /// Returns all the claims corresponding to Role on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"role"</description></item>
+            /// <item><description>"roles"</description></item>
+            /// <item><description>ClaimTypes.Role</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims principal from which to get the Role.</param>
+            public static IEnumerable<string> GetRole(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetAllClaimValues(
+                     "role",
+                     "roles",
+                     ClaimTypes.Role);
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to Role on a ClaimsPrincipal:
+            /// <list type="bullet">
+            /// <item><description>"role"</description></item>
+            /// <item><description>"roles"</description></item>
+            /// <item><description>ClaimTypes.Role</description></item>
+            /// </list>
+            /// This method returns information that is safe to use for authorization.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Role.</param>
+            public static IEnumerable<string> GetRole(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetAllClaimValues(
+                     "role",
+                     "roles",
+                     ClaimTypes.Role);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Sid claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"sid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Sid.</param>
+            public static string GetSid(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "sid");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Sid claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"sid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Sid.</param>
+            public static string GetSid(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "sid");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Upn claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"upn"</description></item>
+            /// <item><description>ClaimTypes.Upn</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Upn.</param>
+            public static string GetUpn(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "upn",
+                     ClaimTypes.Upn);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Upn claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"upn"</description></item>
+            /// <item><description>ClaimTypes.Upn</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Upn.</param>
+            public static string GetUpn(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "upn",
+                     ClaimTypes.Upn);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to Winaccountname claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"winaccountname"</description></item>
+            /// <item><description>ClaimTypes.WindowsAccountName</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Winaccountname.</param>
+            public static string GetWinaccountname(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "winaccountname",
+                     ClaimTypes.WindowsAccountName);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to Winaccountname claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"winaccountname"</description></item>
+            /// <item><description>ClaimTypes.WindowsAccountName</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Winaccountname.</param>
+            public static string GetWinaccountname(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "winaccountname",
+                     ClaimTypes.WindowsAccountName);
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to VerifiedPrimaryEmail claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"verified_primary_email"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VerifiedPrimaryEmail.</param>
+            public static string GetVerifiedPrimaryEmail(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "verified_primary_email");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to VerifiedPrimaryEmail claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"verified_primary_email"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VerifiedPrimaryEmail.</param>
+            public static string GetVerifiedPrimaryEmail(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "verified_primary_email");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to VerifiedSecondaryEmail claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"verified_secondary_email"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VerifiedSecondaryEmail.</param>
+            public static string GetVerifiedSecondaryEmail(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "verified_secondary_email");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to VerifiedSecondaryEmail claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"verified_secondary_email"</description></item>
+            /// </list>
+            /// The privacy classification of the information returned is EUPI.
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VerifiedSecondaryEmail.</param>
+            public static string GetVerifiedSecondaryEmail(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "verified_secondary_email");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to VNet claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"vnet"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VNet.</param>
+            public static string GetVNet(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "vnet");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to VNet claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"vnet"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VNet.</param>
+            public static string GetVNet(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "vnet");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to PreferedDataLocation claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"xms_pdl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PreferedDataLocation.</param>
+            public static string GetPreferedDataLocation(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "xms_pdl");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to PreferedDataLocation claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"xms_pdl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PreferedDataLocation.</param>
+            public static string GetPreferedDataLocation(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "xms_pdl");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to UserPreferedLanguage claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"xms_tpl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the UserPreferedLanguage.</param>
+            public static string GetUserPreferedLanguage(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "xms_tpl");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to UserPreferedLanguage claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"xms_tpl"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the UserPreferedLanguage.</param>
+            public static string GetUserPreferedLanguage(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "xms_tpl");
+            }
+            /// <summary>
+            /// Returns the first claim corresponding to ZeroTouchDeploymentId claim on a ClaimsPrincipal
+            /// <list type="bullet">
+            /// <item><description>"ztdid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ZeroTouchDeploymentId.</param>
+            public static string GetZeroTouchDeploymentId(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     "ztdid");
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to ZeroTouchDeploymentId claim on a ClaimsIdentity
+            /// <list type="bullet">
+            /// <item><description>"ztdid"</description></item>
+            /// </list>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ZeroTouchDeploymentId.</param>
+            public static string GetZeroTouchDeploymentId(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     "ztdid");
+            }
+        }
+}
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
new file mode 100644
index 0000000000..a861dd59ec
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
@@ -0,0 +1,216 @@
+<#@ template debug="false" hostspecific="false" language="C#" #>
+<#@ assembly name="System.Core" #>
+<#@ import namespace="System.Linq" #>
+<#@ import namespace="System.Text" #>
+<#@ import namespace="System.Collections.Generic" #>
+<#@ output extension=".gen.cs" #>
+<#@ include file="ClaimsKnowledge.tti" #>
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeAccessor.tt USING T4
+// DON'T UPDATE MANUALLY
+
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace System.IdentityModel.Tokens.Jwt
+{
+    /// <summary>
+    /// Defines extension methods to access claims by purpose, and not by name, making it compatible
+    /// with several versions of tokens.
+    /// </summary>
+    public static partial class ClaimPrincipalExtensions
+    {
+<#
+  foreach(ClaimsKnowledge c in claimsKnowledge) 
+  {
+   if (c.HasMultipleInstances)
+   {
+#>
+            /// <summary>
+            /// Returns all the claims corresponding to <#=c.AccessorName#> on a ClaimsPrincipal:
+            /// <list type="bullet">
+<#
+     foreach(string s in c.AllClaimNames)
+     {
+#>
+            /// <item><description><#= s #></description></item>
+<#
+     }
+#>
+            /// </list>
+<#
+     if (c.IsUsableInAuthorizationPolicies)
+     {
+#>
+            /// This method returns information that is safe to use for authorization.
+<#
+     }
+     if (!string.IsNullOrEmpty(c.PrivacyCategory))
+     {
+#>
+            /// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
+<#
+     }
+#>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims principal from which to get the <#=c.AccessorName#>.</param>
+            public static IEnumerable<string> Get<#=c.AccessorName#>(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetAllClaimValues(
+                     <#=string.Join(",\n                     ", c.AllClaimNames)#>);
+            }
+
+            /// <summary>
+            /// Returns all the claims corresponding to <#=c.AccessorName#> on a ClaimsPrincipal:
+            /// <list type="bullet">
+<#
+     foreach(string s in c.AllClaimNames)
+     {
+#>
+            /// <item><description><#= s #></description></item>
+<#
+     }
+#>
+            /// </list>
+<#
+     if (c.IsUsableInAuthorizationPolicies)
+     {
+#>
+            /// This method returns information that is safe to use for authorization.
+<#
+     }
+     if (!string.IsNullOrEmpty(c.PrivacyCategory))
+     {
+#>
+            /// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
+<#
+     }
+#>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the <#=c.AccessorName#>.</param>
+            public static IEnumerable<string> Get<#=c.AccessorName#>(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetAllClaimValues(
+                     <#=string.Join(",\n                     ", c.AllClaimNames)#>);
+            }
+
+<#
+     }
+     else
+     {
+#>
+            /// <summary>
+            /// Returns the first claim corresponding to <#=c.AccessorName#> claim on a ClaimsPrincipal
+            /// <list type="bullet">
+<#
+     foreach(string s in c.AllClaimNames)
+     {
+#>
+            /// <item><description><#= s #></description></item>
+<#
+     }
+#>
+            /// </list>
+<#
+     if (c.IsUsableInAuthorizationPolicies)
+     {
+#>
+            /// This method returns information that is safe to use for authorization.
+<#
+     }
+     if (!string.IsNullOrEmpty(c.PrivacyCategory))
+     {
+#>
+            /// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
+<#
+     }
+#>
+            /// </summary>
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the <#=c.AccessorName#>.</param>
+            public static string Get<#=c.AccessorName#>(this ClaimsPrincipal claimsPrincipal)
+            {
+                 if (claimsPrincipal == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsPrincipal));
+                 }
+                 return claimsPrincipal.GetClaimValue(
+                     <#=string.Join(",\n                     ", c.AllClaimNames)#>);
+            }
+
+            /// <summary>
+            /// Returns the first claim corresponding to <#=c.AccessorName#> claim on a ClaimsIdentity
+            /// <list type="bullet">
+<#
+     foreach(string s in c.AllClaimNames)
+     {
+#>
+            /// <item><description><#= s #></description></item>
+<#
+     }
+#>
+            /// </list>
+<#
+     if (c.IsUsableInAuthorizationPolicies)
+     {
+#>
+            /// This method returns information that is safe to use for authorization.
+<#
+     }
+     if (!string.IsNullOrEmpty(c.PrivacyCategory))
+     {
+#>
+            /// The privacy classification of the information returned is <#= c.PrivacyCategory #>.
+<#
+     }
+#>
+            /// </summary>
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the <#=c.AccessorName#>.</param>
+            public static string Get<#=c.AccessorName#>(this ClaimsIdentity claimsIdentity)
+            {
+                 if (claimsIdentity == null)
+                 {
+                      throw new ArgumentNullException(nameof(claimsIdentity));
+                 }
+                 return claimsIdentity.GetClaimValue(
+                     <#=string.Join(",\n                     ", c.AllClaimNames)#>);
+            }
+<#
+     }
+ }
+#>
+        }
+}
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
index 12d0c67f68..c12117f733 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
@@ -1,4 +1,4 @@
-//------------------------------------------------------------------------------
+//------------------------------------------------------------------------------
 //
 // Copyright (c) Microsoft Corporation.
 // All rights reserved.
@@ -25,6 +25,9 @@
 //
 //------------------------------------------------------------------------------
 
+// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
+// DON'T UPDATE MANUALLY
+
 using System.Collections.Generic;
 using System.Security.Claims;
 
@@ -40,79 +43,80 @@ internal static class ClaimTypeMapping
         // value    is the short claim type
         private static Dictionary<string, string> shortToLongClaimTypeMapping = new Dictionary<string, string>
         {
-            { JwtRegisteredClaimNames.Actort, ClaimTypes.Actor },
-            { JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth },
-            { JwtRegisteredClaimNames.Email, ClaimTypes.Email },
-            { JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname },
-            { JwtRegisteredClaimNames.Gender, ClaimTypes.Gender },
-            { JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName },
-            { JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier },
-            { JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier },
-            { JwtRegisteredClaimNames.Website, ClaimTypes.Webpage },
-            { JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name },
-            { "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" },
-            { "scp", "http://schemas.microsoft.com/identity/claims/scope" },
-            { "tid", "http://schemas.microsoft.com/identity/claims/tenantid" },
-            { "acr", "http://schemas.microsoft.com/claims/authnclassreference" },
-            { "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" },
-            { "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" },
-            { "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" },
-            { "authmethod", ClaimTypes.AuthenticationMethod },
-            { "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" },
-            { "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" },
-            { "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" },
-            { "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" },
-            { "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" },
-            { "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" },
-            { "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" },
-            { "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" },
-            { "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" },
-            { "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" },
-            { "certpublickey", ClaimTypes.Rsa },
-            { "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" },
-            { "certserialnumber", ClaimTypes.SerialNumber },
-            { "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" },
-            { "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" },
-            { "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" },
-            { "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" },
-            { "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" },
-            { "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" },
-            { "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" },
-            { "certthumbprint", ClaimTypes.Thumbprint },
-            { "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" },
-            { "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" },
-            { "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" },
-            { "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" },
-            { "commonname", "http://schemas.xmlsoap.org/claims/CommonName" },
-            { "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid },
-            { "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid },
-            { "denyonlysid", ClaimTypes.DenyOnlySid },
-            { "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" },
-            { "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" },
-            { "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" },
-            { "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" },
-            { "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" },
-            { "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" },
-            { "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" },
-            { "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" },
-            { "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
-            { "group", "http://schemas.xmlsoap.org/claims/Group" },
-            { "groupsid", ClaimTypes.GroupSid },
-            { "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" },
-            { "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" },
-            { "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" },
-            { "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" },
-            { "primarygroupsid", ClaimTypes.PrimaryGroupSid },
-            { "primarysid", ClaimTypes.PrimarySid },
-            { "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" },
-            { "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" },
-            { "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" },
-            { "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" },
-            { "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" },
-            { "role", ClaimTypes.Role },
-            { "roles", ClaimTypes.Role },
-            { "upn", ClaimTypes.Upn },
-            { "winaccountname", ClaimTypes.WindowsAccountName },
+                { JwtRegisteredClaimNames.Actort, ClaimTypes.Actor },
+                { JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth },
+                { JwtRegisteredClaimNames.Email, ClaimTypes.Email },
+                { JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname },
+                { JwtRegisteredClaimNames.Gender, ClaimTypes.Gender },
+                { JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName },
+                { JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier },
+                { JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier },
+                { JwtRegisteredClaimNames.Website, ClaimTypes.Webpage },
+                { JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name },
+                { "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" },
+                { "scp", "http://schemas.microsoft.com/identity/claims/scope" },
+                { "tid", "http://schemas.microsoft.com/identity/claims/tenantid" },
+                { "acr", "http://schemas.microsoft.com/claims/authnclassreference" },
+                { "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" },
+                { "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" },
+                { "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" },
+                { "authmethod", ClaimTypes.AuthenticationMethod },
+                { "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" },
+                { "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" },
+                { "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" },
+                { "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" },
+                { "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" },
+                { "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" },
+                { "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" },
+                { "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" },
+                { "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" },
+                { "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" },
+                { "certpublickey", ClaimTypes.Rsa },
+                { "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" },
+                { "certserialnumber", ClaimTypes.SerialNumber },
+                { "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" },
+                { "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" },
+                { "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" },
+                { "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" },
+                { "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" },
+                { "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" },
+                { "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" },
+                { "certthumbprint", ClaimTypes.Thumbprint },
+                { "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" },
+                { "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" },
+                { "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" },
+                { "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" },
+                { "commonname", "http://schemas.xmlsoap.org/claims/CommonName" },
+                { "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid },
+                { "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid },
+                { "denyonlysid", ClaimTypes.DenyOnlySid },
+                { "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" },
+                { "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" },
+                { "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" },
+                { "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" },
+                { "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" },
+                { "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" },
+                { "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" },
+                { "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" },
+                { "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
+                { "fwt", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
+                { "group", "http://schemas.xmlsoap.org/claims/Group" },
+                { "groupsid", ClaimTypes.GroupSid },
+                { "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" },
+                { "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" },
+                { "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" },
+                { "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" },
+                { "primarygroupsid", ClaimTypes.PrimaryGroupSid },
+                { "primarysid", ClaimTypes.PrimarySid },
+                { "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" },
+                { "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" },
+                { "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" },
+                { "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" },
+                { "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" },
+                { "role", ClaimTypes.Role },
+                { "roles", ClaimTypes.Role },
+                { "upn", ClaimTypes.Upn },
+                { "winaccountname", ClaimTypes.WindowsAccountName },
         };
 
         private static IDictionary<string, string> longToShortClaimTypeMapping = new Dictionary<string, string>();
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
new file mode 100644
index 0000000000..7e40f84474
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
@@ -0,0 +1,115 @@
+<#@ template debug="false" hostspecific="false" language="C#" #>
+<#@ assembly name="System.Core" #>
+<#@ import namespace="System.Linq" #>
+<#@ import namespace="System.Text" #>
+<#@ import namespace="System.Collections.Generic" #>
+<#@ output extension=".cs" #>
+<#@ include file="ClaimsKnowledge.tti" #>
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
+// DON'T UPDATE MANUALLY
+
+using System.Collections.Generic;
+using System.Security.Claims;
+
+namespace System.IdentityModel.Tokens.Jwt
+{
+    /// <summary>
+    /// Defines the inbound and outbound mapping for claim claim types from jwt to .net claim 
+    /// </summary>
+    internal static class ClaimTypeMapping
+    {
+        // This is the short to long mapping.
+        // key      is the long  claim type
+        // value    is the short claim type
+        private static Dictionary<string, string> shortToLongClaimTypeMapping = new Dictionary<string, string>
+        {
+<# 
+  foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
+  {
+   foreach(string shortClaimType in c.ShortClaimNames)
+   {
+#>
+                { <#=shortClaimType#>, <#=c.LongClaimName#> },
+<#
+   }
+ }
+#>
+        };
+
+        private static IDictionary<string, string> longToShortClaimTypeMapping = new Dictionary<string, string>();
+        private static HashSet<string> inboundClaimFilter = inboundClaimFilter = new HashSet<string>();
+
+        /// <summary>
+        /// Initializes static members of the <see cref="ClaimTypeMapping"/> class. 
+        /// </summary>
+        static ClaimTypeMapping()
+        {
+            foreach (KeyValuePair<string, string> kv in shortToLongClaimTypeMapping)
+            {
+                if (longToShortClaimTypeMapping.ContainsKey(kv.Value))
+                {
+                    continue;
+                }
+
+                longToShortClaimTypeMapping.Add(kv.Value, kv.Key);
+            }
+        }
+
+        /// <summary>
+        /// Gets the InboundClaimTypeMap used by JwtSecurityTokenHandler when producing claims from jwt. 
+        /// </summary>
+        public static IDictionary<string, string> InboundClaimTypeMap
+        {
+            get
+            {
+                return shortToLongClaimTypeMapping;
+            }
+        }
+
+        /// <summary>
+        /// Gets the OutboundClaimTypeMap is used by JwtSecurityTokenHandler to shorten claim types when creating a jwt. 
+        /// </summary>
+        public static IDictionary<string, string> OutboundClaimTypeMap
+        {
+            get
+            {
+                return longToShortClaimTypeMapping;
+            }
+        }
+
+        public static ISet<string> InboundClaimFilter
+        {
+            get
+            {
+                return inboundClaimFilter;
+            }
+        }
+    }
+}
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
new file mode 100644
index 0000000000..d09e698251
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
@@ -0,0 +1,141 @@
+<#+
+class ClaimsKnowledge
+{
+    public ClaimsKnowledge(string accessorName, bool multipleInstances, bool usableForAuthorization, bool generateMapping, string privacyCategory, string longClaimName, params string[] shortClaimName)
+    {
+        AccessorName = accessorName;
+        ShortClaimNames = shortClaimName;
+        LongClaimName = longClaimName;
+        HasMultipleInstances = multipleInstances;
+        PrivacyCategory = privacyCategory;
+        IsUsableInAuthorizationPolicies = usableForAuthorization;
+        GenerateMapping = generateMapping;
+    }
+
+    /// <summary>
+    /// Name of the accessor
+    /// </summary>
+    public string AccessorName { get; set; }
+
+    /// <summary>
+    /// Short claim type name
+    /// </summary>
+    public string[] ShortClaimNames { get; set; }
+
+    /// <summary>
+    /// Long claim type name
+    /// </summary>
+    public string LongClaimName { get; set; }
+
+    /// <summary>
+    /// Does the claim appear in multiple instances?
+    /// </summary>
+    public bool HasMultipleInstances { get; set; }
+
+    /// <summary>
+    /// Privacy category for the claim
+    /// </summary>
+    public string PrivacyCategory { get; set; }
+
+    /// <summary>
+    /// Is the claim usable in authorization policies?
+    /// </summary>
+    public bool IsUsableInAuthorizationPolicies { get; set; }
+
+    /// <summary>
+    /// Should the claims mapping be generated?
+    /// </summary>
+    public bool GenerateMapping { get; set; }
+
+    public IEnumerable<string> AllClaimNames 
+    => ShortClaimNames.Union(new string[]{LongClaimName}).Where(c => !string.IsNullOrEmpty(c));
+}
+
+ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
+{
+        new ClaimsKnowledge("Actor", false, false, true, "", "ClaimTypes.Actor", "JwtRegisteredClaimNames.Actort"),
+        new ClaimsKnowledge("IsGuest", false, true, false, "", "\"acct\""),
+        new ClaimsKnowledge("LastAuthenticatedTime", false, false, false, "", "\"auth_time\""),
+        new ClaimsKnowledge("Birthdate", false, false, true, "EUII", "ClaimTypes.DateOfBirth", "JwtRegisteredClaimNames.Birthdate"),
+        new ClaimsKnowledge("Country", false, false, false, "EUII", "\"ctry\""),
+        new ClaimsKnowledge("Email", false, false, true, "EUII", "ClaimTypes.Email", "JwtRegisteredClaimNames.Email"),
+        new ClaimsKnowledge("FamilyName", false, false, true, "EUII", "ClaimTypes.Surname", "JwtRegisteredClaimNames.FamilyName"),
+        new ClaimsKnowledge("Gender", false, false, true, "EUII", "ClaimTypes.Gender", "JwtRegisteredClaimNames.Gender"),
+        new ClaimsKnowledge("GivenName", false, false, true, "EUII", "ClaimTypes.GivenName", "JwtRegisteredClaimNames.GivenName"),
+        new ClaimsKnowledge("Nameid", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.NameId"),
+        new ClaimsKnowledge("Sub", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.Sub"),
+        new ClaimsKnowledge("Website", false, false, true, "", "ClaimTypes.Webpage", "JwtRegisteredClaimNames.Website"),
+        new ClaimsKnowledge("UniqueName", false, false, true, "", "ClaimTypes.Name", "JwtRegisteredClaimNames.UniqueName"),
+        new ClaimsKnowledge("ObjectId", false, true, true, "EUPI", "\"http://schemas.microsoft.com/identity/claims/objectidentifier\"", "\"oid\""),
+        new ClaimsKnowledge("Scopes", true, true, true, "", "\"http://schemas.microsoft.com/identity/claims/scope\"", "\"scp\""),
+        new ClaimsKnowledge("TenantId", false, true, true, "OII", "\"http://schemas.microsoft.com/identity/claims/tenantid\"", "\"tid\""),
+        new ClaimsKnowledge("Acr", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnclassreference\"", "\"acr\""),
+        new ClaimsKnowledge("Adfs1Email", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/EmailAddress\"", "\"adfs1email\""),
+        new ClaimsKnowledge("Adfs1Upn", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/UPN\"", "\"adfs1upn\""),
+        new ClaimsKnowledge("Amr", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnmethodsreferences\"", "\"amr\""),
+        new ClaimsKnowledge("AuthMethod", false, false, true, "", "ClaimTypes.AuthenticationMethod", "\"authmethod\""),
+        new ClaimsKnowledge("CertAppPolicy", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy\"", "\"certapppolicy\""),
+        new ClaimsKnowledge("CertAuthorityKeyIdentifier", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier\"", "\"certauthoritykeyidentifier\""),
+        new ClaimsKnowledge("CertBasicVonstraints", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints\"", "\"certbasicconstraints\""),
+        new ClaimsKnowledge("CertEku", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku\"", "\"certeku\""),
+        new ClaimsKnowledge("CertIssuer", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer\"", "\"certissuer\""),
+        new ClaimsKnowledge("CertIssuerName", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername\"", "\"certissuername\""),
+        new ClaimsKnowledge("CertKeyUsage", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage\"", "\"certkeyusage\""),
+        new ClaimsKnowledge("CertNotAfter", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter\"", "\"certnotafter\""),
+        new ClaimsKnowledge("CertNotBefore", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore\"", "\"certnotbefore\""),
+        new ClaimsKnowledge("CertPolicy", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy\"", "\"certpolicy\""),
+        new ClaimsKnowledge("CertPublickey", false, false, true, "", "ClaimTypes.Rsa", "\"certpublickey\""),
+        new ClaimsKnowledge("CertRawData", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata\"", "\"certrawdata\""),
+        new ClaimsKnowledge("CertSerialNumber", false, false, true, "", "ClaimTypes.SerialNumber", "\"certserialnumber\""),
+        new ClaimsKnowledge("CertSignatureAlgorithm", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm\"", "\"certsignaturealgorithm\""),
+        new ClaimsKnowledge("CertSubject", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/subject\"", "\"certsubject\""),
+        new ClaimsKnowledge("CertSubjectAltName", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/san\"", "\"certsubjectaltname\""),
+        new ClaimsKnowledge("CertSubjectKeyIdentifier", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier\"", "\"certsubjectkeyidentifier\""),
+        new ClaimsKnowledge("CertSubjectName", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname\"", "\"certsubjectname\""),
+        new ClaimsKnowledge("CertTemplateInformation", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation\"", "\"certtemplateinformation\""),
+        new ClaimsKnowledge("CertTemplateName", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename\"", "\"certtemplatename\""),
+        new ClaimsKnowledge("CertThumbprint", false, false, true, "", "ClaimTypes.Thumbprint", "\"certthumbprint\""),
+        new ClaimsKnowledge("CertX509Version", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version\"", "\"certx509version\""),
+        new ClaimsKnowledge("ClientApplication", false, true, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application\"", "\"clientapplication\""),
+        new ClaimsKnowledge("ClientIp", false, false, true, "EUPI", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip\"", "\"clientip\""),
+        new ClaimsKnowledge("ClientUserAgent", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent\"", "\"clientuseragent\""),
+        new ClaimsKnowledge("CommonName", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/CommonName\"", "\"commonname\""),
+        new ClaimsKnowledge("DenyOnlyPrimaryGroupSid", false, false, true, "", "ClaimTypes.DenyOnlyPrimaryGroupSid", "\"denyonlyprimarygroupsid\""),
+        new ClaimsKnowledge("DenyOnlyPrimarySid", false, false, true, "", "ClaimTypes.DenyOnlyPrimarySid", "\"denyonlyprimarysid\""),
+        new ClaimsKnowledge("DenyOnlySid", false, false, true, "", "ClaimTypes.DenyOnlySid", "\"denyonlysid\""),
+        new ClaimsKnowledge("DevicedIspName", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname\"", "\"devicedispname\""),
+        new ClaimsKnowledge("DeviceId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier\"", "\"deviceid\""),
+        new ClaimsKnowledge("DeviceIsManaged", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged\"", "\"deviceismanaged\""),
+        new ClaimsKnowledge("DeviceOsType", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype\"", "\"deviceostype\""),
+        new ClaimsKnowledge("DeviceOsVer", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion\"", "\"deviceosver\""),
+        new ClaimsKnowledge("DeviceOwner", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner\"", "\"deviceowner\""),
+        new ClaimsKnowledge("DeviceRegId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid\"", "\"deviceregid\""),
+        new ClaimsKnowledge("EndpointPath", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path\"", "\"endpointpath\""),
+        new ClaimsKnowledge("ForwardedClientIp", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip\"", "\"forwardedclientip\"", "\"fwt\""),
+        new ClaimsKnowledge("Group", true, false, true, "", "\"http://schemas.xmlsoap.org/claims/Group\"", "\"group\""),
+        new ClaimsKnowledge("GroupsId", true, false, true, "", "ClaimTypes.GroupSid", "\"groupsid\""),
+        new ClaimsKnowledge("IdTyp", false, false, true, "", "\"idtyp\""),
+        new ClaimsKnowledge("Idp", false, false, true, "", "\"http://schemas.microsoft.com/identity/claims/identityprovider\"", "\"idp\""),
+        new ClaimsKnowledge("InsideCorporateNetwork", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork\"", "\"insidecorporatenetwork\""),
+        new ClaimsKnowledge("IsRegisteredUser", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser\"", "\"isregistereduser\""),
+        new ClaimsKnowledge("LoginHint", false, false, false, "", "\"login_hint\""),
+        new ClaimsKnowledge("Ppid", false, false, true, "", "\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier\"", "\"ppid\""),
+        new ClaimsKnowledge("Primarygroupsid", false, false, true, "", "ClaimTypes.PrimaryGroupSid", "\"primarygroupsid\""),
+        new ClaimsKnowledge("Primarysid", false, false, true, "", "ClaimTypes.PrimarySid", "\"primarysid\""),
+        new ClaimsKnowledge("Proxy", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy\"", "\"proxy\""),
+        new ClaimsKnowledge("PwdChgEndpoint", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl\"", "\"pwdchgurl\""),
+        new ClaimsKnowledge("PwdExpDays", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays\"", "\"pwdexpdays\""),
+        new ClaimsKnowledge("PwdExpTime", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime\"", "\"pwdexptime\""),
+        new ClaimsKnowledge("RelyingPartyTrustId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid\"", "\"relyingpartytrustid\""),
+        new ClaimsKnowledge("Role", true, true, true, "", "ClaimTypes.Role", "\"role\"", "\"roles\""),
+        new ClaimsKnowledge("Sid", false, false, true, "", "\"sid\""),
+        new ClaimsKnowledge("Upn", false, false, true, "", "ClaimTypes.Upn", "\"upn\""),
+        new ClaimsKnowledge("Winaccountname", false, false, true, "", "ClaimTypes.WindowsAccountName", "\"winaccountname\""),
+        new ClaimsKnowledge("VerifiedPrimaryEmail", false, false, true, "EUPI", "\"verified_primary_email\""),
+        new ClaimsKnowledge("VerifiedSecondaryEmail", false, false, true, "EUPI", "\"verified_secondary_email\""),
+        new ClaimsKnowledge("VNet", false, false, true, "", "\"vnet\""),
+        new ClaimsKnowledge("PreferedDataLocation", false, false, true, "", "\"xms_pdl\""),
+        new ClaimsKnowledge("UserPreferedLanguage", false, false, true, "", "\"xms_tpl\""),
+        new ClaimsKnowledge("ZeroTouchDeploymentId", false, false, true, "", "\"ztdid\""),
+};
+#>
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
new file mode 100644
index 0000000000..3cbc2a9b48
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
@@ -0,0 +1,163 @@
+// ------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
+// DON'T UPDATE MANUALLY
+
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Linq;
+
+namespace System.IdentityModel.Tokens.Jwt
+{
+    /// <summary>
+    /// Defines the inbound and outbound mapping for claim claim types from jwt to .net claim 
+    /// </summary>
+    public static partial class ClaimPrincipalExtensions
+    {
+        /// <summary> 
+        /// Verifies that the token has any of the claims required. 
+        /// </summary> 
+        /// <param name="user">claims identity</param> 
+        /// <param name="requiredClaims">Type (name) of the required claims</param> 
+        /// <returns></returns> 
+        public static bool ContainsAnyClaim(this ClaimsPrincipal user, params string[] requiredClaims)
+        {
+            if (user == null)
+            {
+                throw new ArgumentNullException(nameof(user));
+            }
+            return user.Claims.Any(claim => requiredClaims.Contains(claim.Type));
+        }
+
+        /// <summary> 
+        /// Get the value of a claim including several overrides of the claims (due to ASP.NET 
+        /// and ASP.NET Core using Claims mapping) 
+        /// </summary> 
+        /// <param name="claimsPrincipal">Claims principal</param> 
+        /// <param name="claimNames">Names of the claims to consider</param> 
+        /// <returns>The first value of requested claims</returns> 
+        /// <exception cref="ArgumentNullException"></exception> 
+        private static string GetClaimValue(this ClaimsPrincipal claimsPrincipal, params string[] claimNames)
+        {
+            for (var i = 0; i < claimNames.Length; i++)
+            {
+                var currentValue = claimsPrincipal.FindFirstValue(claimNames[i]);
+                if (!string.IsNullOrEmpty(currentValue))
+                {
+                    return currentValue;
+                }
+            }
+
+            return null;
+        }
+
+        /// <summary> 
+        /// Get the value of a claim including several overrides of the claims (due to ASP.NET 
+        /// and ASP.NET Core using Claims mapping) 
+        /// </summary> 
+        /// <param name="claimsIdentity">Claims identity</param> 
+        /// <param name="claimNames">Names of the claims to consider</param> 
+        /// <returns>The first value of requested claims</returns> 
+        /// <exception cref="ArgumentNullException"></exception> 
+        private static string GetClaimValue(this ClaimsIdentity claimsIdentity, params string[] claimNames)
+        {
+            for (var i = 0; i < claimNames.Length; i++)
+            {
+                var currentValue = claimsIdentity.FindFirstValue(claimNames[i]);
+                if (!string.IsNullOrEmpty(currentValue))
+                {
+                    return currentValue;
+                }
+            }
+
+            return null;
+        }
+
+        /// <summary> 
+        /// Get all the values of the claims including several overrides of the claims (due to ASP.NET  
+        /// and ASP.NET Core using Claims mapping) 
+        /// </summary> 
+        /// <param name="claimsPrincipal">Claims principal</param> 
+        /// <param name="claimNames">Names of the claims to consider</param> 
+        /// <returns>All the values of requested claims</returns> 
+        /// <exception cref="ArgumentNullException"></exception> 
+        private static IEnumerable<string> GetAllClaimValues(this ClaimsPrincipal claimsPrincipal, params string[] claimNames)
+        {
+            for (var i = 0; i < claimNames.Length; i++)
+            {
+                var currentValues = claimsPrincipal.FindAll(claimNames[i]);
+                foreach (Claim claim in currentValues)
+                {
+                    yield return claim.Value;
+                }
+            }
+        }
+
+        /// <summary> 
+        /// Get all the values of the claims including several overrides of the claims (due to ASP.NET  
+        /// and ASP.NET Core using Claims mapping) 
+        /// </summary> 
+        /// <param name="claimsIdentity">Claims principal</param> 
+        /// <param name="claimNames">Names of the claims to consider</param> 
+        /// <returns>All the values of requested claims</returns> 
+        /// <exception cref="ArgumentNullException"></exception> 
+        private static IEnumerable<string> GetAllClaimValues(this ClaimsIdentity claimsIdentity, params string[] claimNames)
+        {
+            for (var i = 0; i < claimNames.Length; i++)
+            {
+                var currentValues = claimsIdentity.FindAll(claimNames[i]);
+                foreach (Claim claim in currentValues)
+                {
+                    yield return claim.Value;
+                }
+            }
+        }
+
+        /// <summary> 
+        /// Find the value of the first claim of a given type 
+        /// </summary> 
+        /// <param name="claimsPrincipal">Claims principal</param> 
+        /// <param name="type">Claim's type (claims name)</param> 
+        /// <returns>The value (can be null if the claim is not present)</returns> 
+        private static string FindFirstValue(this ClaimsPrincipal claimsPrincipal, string type)
+        {
+            return claimsPrincipal.FindFirst(type)?.Value;
+        }
+
+        /// <summary> 
+        /// Find the value of the first claim of a given type 
+        /// </summary> 
+        /// <param name="claimsIdentity">Claims identity</param> 
+        /// <param name="type">Claim's type (claims name)</param> 
+        /// <returns>The value (can be null if the claim is not present)</returns> 
+        private static string FindFirstValue(this ClaimsIdentity claimsIdentity, string type)
+        {
+            return claimsIdentity.FindFirst(type)?.Value;
+        }
+    }
+}
diff --git a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
index 0e589c35ec..6a79c8846a 100644
--- a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
+++ b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
@@ -26,5 +26,36 @@
     <ProjectReference Include="..\Microsoft.IdentityModel.JsonWebTokens\Microsoft.IdentityModel.JsonWebTokens.csproj" />
     <ProjectReference Include="..\Microsoft.IdentityModel.Tokens\Microsoft.IdentityModel.Tokens.csproj" />
   </ItemGroup>
+  
+   <ItemGroup>
+    <None Update="ClaimsKnowledge.tti">
+      <Generator></Generator>
+    </None>
+    <None Update="ClaimTypeAccessor.tt">
+      <LastGenOutput>ClaimTypeAccessor.gen.cs</LastGenOutput>
+      <Generator>TextTemplatingFileGenerator</Generator>
+    </None>
+    <None Update="ClaimTypeMapping.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimTypeMapping.cs</LastGenOutput>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Update="ClaimTypeAccessor.gen.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimTypeAccessor.tt</DependentUpon>
+    </Compile>
+    <Compile Update="ClaimTypeMapping.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimTypeMapping.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
 
 </Project>

From bbdaf025c3d8c9f62463f527128d642be7ac9a27 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 23 Mar 2022 19:30:14 -0700
Subject: [PATCH 02/13] Fixing spacing

---
 .../ClaimTypeMapping.cs                       | 148 +++++++++---------
 .../ClaimTypeMapping.tt                       |   2 +-
 2 files changed, 75 insertions(+), 75 deletions(-)

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
index c12117f733..dbae49e4df 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
@@ -43,80 +43,80 @@ internal static class ClaimTypeMapping
         // value    is the short claim type
         private static Dictionary<string, string> shortToLongClaimTypeMapping = new Dictionary<string, string>
         {
-                { JwtRegisteredClaimNames.Actort, ClaimTypes.Actor },
-                { JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth },
-                { JwtRegisteredClaimNames.Email, ClaimTypes.Email },
-                { JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname },
-                { JwtRegisteredClaimNames.Gender, ClaimTypes.Gender },
-                { JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName },
-                { JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier },
-                { JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier },
-                { JwtRegisteredClaimNames.Website, ClaimTypes.Webpage },
-                { JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name },
-                { "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" },
-                { "scp", "http://schemas.microsoft.com/identity/claims/scope" },
-                { "tid", "http://schemas.microsoft.com/identity/claims/tenantid" },
-                { "acr", "http://schemas.microsoft.com/claims/authnclassreference" },
-                { "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" },
-                { "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" },
-                { "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" },
-                { "authmethod", ClaimTypes.AuthenticationMethod },
-                { "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" },
-                { "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" },
-                { "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" },
-                { "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" },
-                { "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" },
-                { "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" },
-                { "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" },
-                { "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" },
-                { "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" },
-                { "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" },
-                { "certpublickey", ClaimTypes.Rsa },
-                { "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" },
-                { "certserialnumber", ClaimTypes.SerialNumber },
-                { "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" },
-                { "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" },
-                { "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" },
-                { "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" },
-                { "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" },
-                { "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" },
-                { "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" },
-                { "certthumbprint", ClaimTypes.Thumbprint },
-                { "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" },
-                { "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" },
-                { "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" },
-                { "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" },
-                { "commonname", "http://schemas.xmlsoap.org/claims/CommonName" },
-                { "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid },
-                { "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid },
-                { "denyonlysid", ClaimTypes.DenyOnlySid },
-                { "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" },
-                { "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" },
-                { "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" },
-                { "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" },
-                { "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" },
-                { "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" },
-                { "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" },
-                { "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" },
-                { "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
-                { "fwt", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
-                { "group", "http://schemas.xmlsoap.org/claims/Group" },
-                { "groupsid", ClaimTypes.GroupSid },
-                { "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" },
-                { "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" },
-                { "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" },
-                { "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" },
-                { "primarygroupsid", ClaimTypes.PrimaryGroupSid },
-                { "primarysid", ClaimTypes.PrimarySid },
-                { "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" },
-                { "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" },
-                { "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" },
-                { "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" },
-                { "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" },
-                { "role", ClaimTypes.Role },
-                { "roles", ClaimTypes.Role },
-                { "upn", ClaimTypes.Upn },
-                { "winaccountname", ClaimTypes.WindowsAccountName },
+            { JwtRegisteredClaimNames.Actort, ClaimTypes.Actor },
+            { JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth },
+            { JwtRegisteredClaimNames.Email, ClaimTypes.Email },
+            { JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname },
+            { JwtRegisteredClaimNames.Gender, ClaimTypes.Gender },
+            { JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName },
+            { JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier },
+            { JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier },
+            { JwtRegisteredClaimNames.Website, ClaimTypes.Webpage },
+            { JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name },
+            { "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" },
+            { "scp", "http://schemas.microsoft.com/identity/claims/scope" },
+            { "tid", "http://schemas.microsoft.com/identity/claims/tenantid" },
+            { "acr", "http://schemas.microsoft.com/claims/authnclassreference" },
+            { "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" },
+            { "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" },
+            { "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" },
+            { "authmethod", ClaimTypes.AuthenticationMethod },
+            { "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" },
+            { "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" },
+            { "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" },
+            { "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" },
+            { "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" },
+            { "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" },
+            { "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" },
+            { "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" },
+            { "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" },
+            { "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" },
+            { "certpublickey", ClaimTypes.Rsa },
+            { "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" },
+            { "certserialnumber", ClaimTypes.SerialNumber },
+            { "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" },
+            { "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" },
+            { "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" },
+            { "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" },
+            { "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" },
+            { "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" },
+            { "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" },
+            { "certthumbprint", ClaimTypes.Thumbprint },
+            { "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" },
+            { "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" },
+            { "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" },
+            { "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" },
+            { "commonname", "http://schemas.xmlsoap.org/claims/CommonName" },
+            { "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid },
+            { "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid },
+            { "denyonlysid", ClaimTypes.DenyOnlySid },
+            { "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" },
+            { "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" },
+            { "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" },
+            { "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" },
+            { "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" },
+            { "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" },
+            { "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" },
+            { "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" },
+            { "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
+            { "fwt", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
+            { "group", "http://schemas.xmlsoap.org/claims/Group" },
+            { "groupsid", ClaimTypes.GroupSid },
+            { "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" },
+            { "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" },
+            { "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" },
+            { "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" },
+            { "primarygroupsid", ClaimTypes.PrimaryGroupSid },
+            { "primarysid", ClaimTypes.PrimarySid },
+            { "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" },
+            { "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" },
+            { "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" },
+            { "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" },
+            { "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" },
+            { "role", ClaimTypes.Role },
+            { "roles", ClaimTypes.Role },
+            { "upn", ClaimTypes.Upn },
+            { "winaccountname", ClaimTypes.WindowsAccountName },
         };
 
         private static IDictionary<string, string> longToShortClaimTypeMapping = new Dictionary<string, string>();
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
index 7e40f84474..d763c68f86 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
@@ -56,7 +56,7 @@ namespace System.IdentityModel.Tokens.Jwt
    foreach(string shortClaimType in c.ShortClaimNames)
    {
 #>
-                { <#=shortClaimType#>, <#=c.LongClaimName#> },
+            { <#=shortClaimType#>, <#=c.LongClaimName#> },
 <#
    }
  }

From 2b89eeae784e16eb8434aec16e9ad7d6c6b215c3 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 23 Mar 2022 19:36:12 -0700
Subject: [PATCH 03/13] Fixing a comment.

---
 src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
index 3cbc2a9b48..e1fc32ad4d 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
@@ -35,7 +35,8 @@
 namespace System.IdentityModel.Tokens.Jwt
 {
     /// <summary>
-    /// Defines the inbound and outbound mapping for claim claim types from jwt to .net claim 
+    /// Defines extension methods to access claims by purpose, and not by name, making it compatible
+    /// with several versions of tokens.
     /// </summary>
     public static partial class ClaimPrincipalExtensions
     {

From bb86cda55ee203f838e5062fcd781c60fdedfffa Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Thu, 24 Mar 2022 16:05:16 -0700
Subject: [PATCH 04/13] Remove the fmt claim from the mapping.

---
 src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs | 4 ----
 src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs      | 1 -
 src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti      | 2 +-
 3 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
index 3a32b21f8a..95c2a4b032 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
@@ -2212,7 +2212,6 @@ public static string GetEndpointPath(this ClaimsIdentity claimsIdentity)
             /// Returns the first claim corresponding to ForwardedClientIp claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"forwardedclientip"</description></item>
-            /// <item><description>"fwt"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
             /// </list>
             /// </summary>
@@ -2225,7 +2224,6 @@ public static string GetForwardedClientIp(this ClaimsPrincipal claimsPrincipal)
                  }
                  return claimsPrincipal.GetClaimValue(
                      "forwardedclientip",
-                     "fwt",
                      "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip");
             }
 
@@ -2233,7 +2231,6 @@ public static string GetForwardedClientIp(this ClaimsPrincipal claimsPrincipal)
             /// Returns the first claim corresponding to ForwardedClientIp claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"forwardedclientip"</description></item>
-            /// <item><description>"fwt"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
             /// </list>
             /// </summary>
@@ -2246,7 +2243,6 @@ public static string GetForwardedClientIp(this ClaimsIdentity claimsIdentity)
                  }
                  return claimsIdentity.GetClaimValue(
                      "forwardedclientip",
-                     "fwt",
                      "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip");
             }
             /// <summary>
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
index dbae49e4df..67ed56e121 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
@@ -99,7 +99,6 @@ internal static class ClaimTypeMapping
             { "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" },
             { "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" },
             { "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
-            { "fwt", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" },
             { "group", "http://schemas.xmlsoap.org/claims/Group" },
             { "groupsid", ClaimTypes.GroupSid },
             { "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" },
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
index d09e698251..971c7434c2 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
@@ -111,7 +111,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("DeviceOwner", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner\"", "\"deviceowner\""),
         new ClaimsKnowledge("DeviceRegId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid\"", "\"deviceregid\""),
         new ClaimsKnowledge("EndpointPath", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path\"", "\"endpointpath\""),
-        new ClaimsKnowledge("ForwardedClientIp", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip\"", "\"forwardedclientip\"", "\"fwt\""),
+        new ClaimsKnowledge("ForwardedClientIp", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip\"", "\"forwardedclientip\""),
         new ClaimsKnowledge("Group", true, false, true, "", "\"http://schemas.xmlsoap.org/claims/Group\"", "\"group\""),
         new ClaimsKnowledge("GroupsId", true, false, true, "", "ClaimTypes.GroupSid", "\"groupsid\""),
         new ClaimsKnowledge("IdTyp", false, false, true, "", "\"idtyp\""),

From 8ae45d9ec66c69180251fa42dd814e3234d76e2c Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Thu, 24 Mar 2022 16:24:30 -0700
Subject: [PATCH 05/13] Adding a generator for some documentation

---
 .../ClaimsAccessorsDoc.md                     | 85 +++++++++++++++++++
 .../ClaimsAccessorsDoc.tt                     | 20 +++++
 .../System.IdentityModel.Tokens.Jwt.csproj    | 17 ++++
 3 files changed, 122 insertions(+)
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
 create mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
new file mode 100644
index 0000000000..f295664222
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
@@ -0,0 +1,85 @@
+
+# Claims
+
+Type | Accessor | Used for authorization | Privacy | Claims
+--   | --       | --                     | --      | --     
+string | GetActor | False |  | JwtRegisteredClaimNames.Actort<BR/> ClaimTypes.Actor
+string | GetBirthdate | False | EUII | JwtRegisteredClaimNames.Birthdate<BR/> ClaimTypes.DateOfBirth
+string | GetEmail | False | EUII | JwtRegisteredClaimNames.Email<BR/> ClaimTypes.Email
+string | GetFamilyName | False | EUII | JwtRegisteredClaimNames.FamilyName<BR/> ClaimTypes.Surname
+string | GetGender | False | EUII | JwtRegisteredClaimNames.Gender<BR/> ClaimTypes.Gender
+string | GetGivenName | False | EUII | JwtRegisteredClaimNames.GivenName<BR/> ClaimTypes.GivenName
+string | GetNameid | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
+string | GetSub | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
+string | GetWebsite | False |  | JwtRegisteredClaimNames.Website<BR/> ClaimTypes.Webpage
+string | GetUniqueName | False |  | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
+string | GetObjectId | True | EUPI | "oid"<BR/> "http://schemas.microsoft.com/identity/claims/objectidentifier"
+IEnumerable<string> | GetScopes | True |  | "scp"<BR/> "http://schemas.microsoft.com/identity/claims/scope"
+string | GetTenantId | True | OII | "tid"<BR/> "http://schemas.microsoft.com/identity/claims/tenantid"
+string | GetAcr | False |  | "acr"<BR/> "http://schemas.microsoft.com/claims/authnclassreference"
+string | GetAdfs1Email | False | EUPI | "adfs1email"<BR/> "http://schemas.xmlsoap.org/claims/EmailAddress"
+string | GetAdfs1Upn | False | EUPI | "adfs1upn"<BR/> "http://schemas.xmlsoap.org/claims/UPN"
+string | GetAmr | False |  | "amr"<BR/> "http://schemas.microsoft.com/claims/authnmethodsreferences"
+string | GetAuthMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
+string | GetCertAppPolicy | False |  | "certapppolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"
+string | GetCertAuthorityKeyIdentifier | False |  | "certauthoritykeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"
+string | GetCertBasicVonstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
+string | GetCertEku | False |  | "certeku"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"
+string | GetCertIssuer | False |  | "certissuer"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"
+string | GetCertIssuerName | False |  | "certissuername"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"
+string | GetCertKeyUsage | False |  | "certkeyusage"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"
+string | GetCertNotAfter | False |  | "certnotafter"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"
+string | GetCertNotBefore | False |  | "certnotbefore"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"
+string | GetCertPolicy | False |  | "certpolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"
+string | GetCertPublickey | False |  | "certpublickey"<BR/> ClaimTypes.Rsa
+string | GetCertRawData | False |  | "certrawdata"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"
+string | GetCertSerialNumber | False |  | "certserialnumber"<BR/> ClaimTypes.SerialNumber
+string | GetCertSignatureAlgorithm | False |  | "certsignaturealgorithm"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"
+string | GetCertSubject | False |  | "certsubject"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"
+string | GetCertSubjectAltName | False |  | "certsubjectaltname"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"
+string | GetCertSubjectKeyIdentifier | False |  | "certsubjectkeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"
+string | GetCertSubjectName | False |  | "certsubjectname"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"
+string | GetCertTemplateInformation | False |  | "certtemplateinformation"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"
+string | GetCertTemplateName | False |  | "certtemplatename"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"
+string | GetCertThumbprint | False |  | "certthumbprint"<BR/> ClaimTypes.Thumbprint
+string | GetCertX509Version | False |  | "certx509version"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"
+string | GetClientApplication | True |  | "clientapplication"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"
+string | GetClientIp | False | EUPI | "clientip"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"
+string | GetClientUserAgent | False |  | "clientuseragent"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"
+string | GetCommonName | False | EUPI | "commonname"<BR/> "http://schemas.xmlsoap.org/claims/CommonName"
+string | GetDenyOnlyPrimaryGroupSid | False |  | "denyonlyprimarygroupsid"<BR/> ClaimTypes.DenyOnlyPrimaryGroupSid
+string | GetDenyOnlyPrimarySid | False |  | "denyonlyprimarysid"<BR/> ClaimTypes.DenyOnlyPrimarySid
+string | GetDenyOnlySid | False |  | "denyonlysid"<BR/> ClaimTypes.DenyOnlySid
+string | GetDevicedIspName | False |  | "devicedispname"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"
+string | GetDeviceId | False |  | "deviceid"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"
+string | GetDeviceIsManaged | False |  | "deviceismanaged"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"
+string | GetDeviceOsType | False |  | "deviceostype"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"
+string | GetDeviceOsVer | False |  | "deviceosver"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"
+string | GetDeviceOwner | False |  | "deviceowner"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"
+string | GetDeviceRegId | False |  | "deviceregid"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"
+string | GetEndpointPath | False |  | "endpointpath"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"
+string | GetForwardedClientIp | False |  | "forwardedclientip"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"
+IEnumerable<string> | GetGroup | False |  | "group"<BR/> "http://schemas.xmlsoap.org/claims/Group"
+IEnumerable<string> | GetGroupsId | False |  | "groupsid"<BR/> ClaimTypes.GroupSid
+string | GetIdTyp | False |  | "idtyp"
+string | GetIdp | False |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
+string | GetInsideCorporateNetwork | False |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
+string | GetIsRegisteredUser | False |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
+string | GetPpid | False |  | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
+string | GetPrimarygroupsid | False |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
+string | GetPrimarysid | False |  | "primarysid"<BR/> ClaimTypes.PrimarySid
+string | GetProxy | False |  | "proxy"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"
+string | GetPwdChgEndpoint | False |  | "pwdchgurl"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
+string | GetPwdExpDays | False |  | "pwdexpdays"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"
+string | GetPwdExpTime | False |  | "pwdexptime"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"
+string | GetRelyingPartyTrustId | False |  | "relyingpartytrustid"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"
+IEnumerable<string> | GetRole | True |  | "role"<BR/> "roles"<BR/> ClaimTypes.Role
+string | GetSid | False |  | "sid"
+string | GetUpn | False |  | "upn"<BR/> ClaimTypes.Upn
+string | GetWinaccountname | False |  | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
+string | GetVerifiedPrimaryEmail | False | EUPI | "verified_primary_email"
+string | GetVerifiedSecondaryEmail | False | EUPI | "verified_secondary_email"
+string | GetVNet | False |  | "vnet"
+string | GetPreferedDataLocation | False |  | "xms_pdl"
+string | GetUserPreferedLanguage | False |  | "xms_tpl"
+string | GetZeroTouchDeploymentId | False |  | "ztdid"
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt
new file mode 100644
index 0000000000..acece29b94
--- /dev/null
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt
@@ -0,0 +1,20 @@
+<#@ template debug="false" hostspecific="false" language="C#" #>
+<#@ assembly name="System.Core" #>
+<#@ import namespace="System.Linq" #>
+<#@ import namespace="System.Text" #>
+<#@ import namespace="System.Collections.Generic" #>
+<#@ output extension=".md" #>
+<#@ include file="ClaimsKnowledge.tti" #>
+
+# Claims
+
+Type | Accessor | Used for authorization | Privacy | Claims
+--   | --       | --                     | --      | --     
+<# 
+  foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
+  {
+#>
+<#=c.HasMultipleInstances ? "IEnumerable<string>" : "string" #> | Get<#=c.AccessorName #> | <#= c.IsUsableInAuthorizationPolicies #> | <#= c.PrivacyCategory #> | <#= string.Join("<BR/> ", c.AllClaimNames) #>
+<#
+  }
+#>
diff --git a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
index 6a79c8846a..dc3bee71fb 100644
--- a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
+++ b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
@@ -15,6 +15,14 @@
     <DebugSymbols>true</DebugSymbols>
   </PropertyGroup>
 
+  <ItemGroup>
+    <Compile Include="ClaimsAccessorsDoc.md">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">
       <PrivateAssets>all</PrivateAssets>
@@ -28,6 +36,15 @@
   </ItemGroup>
   
    <ItemGroup>
+    <None Update="ClaimsAccessorsDoc.md">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
+    </None>
+    <None Update="ClaimsAccessorsDoc.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimsAccessorsDoc.md</LastGenOutput>
+    </None>
     <None Update="ClaimsKnowledge.tti">
       <Generator></Generator>
     </None>

From c9f408d232d6126b7cc52b811d8cb357d04205a2 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Thu, 24 Mar 2022 17:35:11 -0700
Subject: [PATCH 06/13] - Fixing names form a few claims accessors - Adding
 indication of safety for authorization on all claims

---
 .../ClaimTypeAccessor.gen.cs                  | 240 +++++++++++++++---
 .../ClaimTypeAccessor.tt                      |  28 +-
 .../ClaimsAccessorsDoc.md                     |  14 +-
 .../ClaimsKnowledge.tti                       |  14 +-
 .../System.IdentityModel.Tokens.Jwt.csproj    |   8 -
 5 files changed, 216 insertions(+), 88 deletions(-)

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
index 95c2a4b032..654e1a2aca 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
@@ -45,6 +45,7 @@ public static partial class ClaimPrincipalExtensions
             /// <item><description>JwtRegisteredClaimNames.Actort</description></item>
             /// <item><description>ClaimTypes.Actor</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Actor.</param>
             public static string GetActor(this ClaimsPrincipal claimsPrincipal)
@@ -64,6 +65,7 @@ public static string GetActor(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.Actort</description></item>
             /// <item><description>ClaimTypes.Actor</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Actor.</param>
             public static string GetActor(this ClaimsIdentity claimsIdentity)
@@ -116,6 +118,7 @@ public static string GetIsGuest(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"auth_time"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the LastAuthenticatedTime.</param>
             public static string GetLastAuthenticatedTime(this ClaimsPrincipal claimsPrincipal)
@@ -133,6 +136,7 @@ public static string GetLastAuthenticatedTime(this ClaimsPrincipal claimsPrincip
             /// <list type="bullet">
             /// <item><description>"auth_time"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the LastAuthenticatedTime.</param>
             public static string GetLastAuthenticatedTime(this ClaimsIdentity claimsIdentity)
@@ -150,6 +154,7 @@ public static string GetLastAuthenticatedTime(this ClaimsIdentity claimsIdentity
             /// <item><description>JwtRegisteredClaimNames.Birthdate</description></item>
             /// <item><description>ClaimTypes.DateOfBirth</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Birthdate.</param>
@@ -170,6 +175,7 @@ public static string GetBirthdate(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.Birthdate</description></item>
             /// <item><description>ClaimTypes.DateOfBirth</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Birthdate.</param>
@@ -188,6 +194,7 @@ public static string GetBirthdate(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"ctry"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Country.</param>
@@ -206,6 +213,7 @@ public static string GetCountry(this ClaimsPrincipal claimsPrincipal)
             /// <list type="bullet">
             /// <item><description>"ctry"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Country.</param>
@@ -224,6 +232,7 @@ public static string GetCountry(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.Email</description></item>
             /// <item><description>ClaimTypes.Email</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Email.</param>
@@ -244,6 +253,7 @@ public static string GetEmail(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.Email</description></item>
             /// <item><description>ClaimTypes.Email</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Email.</param>
@@ -263,6 +273,7 @@ public static string GetEmail(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.FamilyName</description></item>
             /// <item><description>ClaimTypes.Surname</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the FamilyName.</param>
@@ -283,6 +294,7 @@ public static string GetFamilyName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.FamilyName</description></item>
             /// <item><description>ClaimTypes.Surname</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the FamilyName.</param>
@@ -302,6 +314,7 @@ public static string GetFamilyName(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.Gender</description></item>
             /// <item><description>ClaimTypes.Gender</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Gender.</param>
@@ -322,6 +335,7 @@ public static string GetGender(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.Gender</description></item>
             /// <item><description>ClaimTypes.Gender</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Gender.</param>
@@ -341,6 +355,7 @@ public static string GetGender(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.GivenName</description></item>
             /// <item><description>ClaimTypes.GivenName</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the GivenName.</param>
@@ -361,6 +376,7 @@ public static string GetGivenName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.GivenName</description></item>
             /// <item><description>ClaimTypes.GivenName</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUII.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the GivenName.</param>
@@ -375,14 +391,15 @@ public static string GetGivenName(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.GivenName);
             }
             /// <summary>
-            /// Returns the first claim corresponding to Nameid claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to NameId claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>JwtRegisteredClaimNames.NameId</description></item>
             /// <item><description>ClaimTypes.NameIdentifier</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Nameid.</param>
-            public static string GetNameid(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the NameId.</param>
+            public static string GetNameId(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -394,14 +411,15 @@ public static string GetNameid(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Nameid claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to NameId claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>JwtRegisteredClaimNames.NameId</description></item>
             /// <item><description>ClaimTypes.NameIdentifier</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Nameid.</param>
-            public static string GetNameid(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the NameId.</param>
+            public static string GetNameId(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -412,14 +430,15 @@ public static string GetNameid(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.NameIdentifier);
             }
             /// <summary>
-            /// Returns the first claim corresponding to Sub claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to Subject claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>JwtRegisteredClaimNames.Sub</description></item>
             /// <item><description>ClaimTypes.NameIdentifier</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Sub.</param>
-            public static string GetSub(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Subject.</param>
+            public static string GetSubject(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -431,14 +450,15 @@ public static string GetSub(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Sub claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to Subject claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>JwtRegisteredClaimNames.Sub</description></item>
             /// <item><description>ClaimTypes.NameIdentifier</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Sub.</param>
-            public static string GetSub(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Subject.</param>
+            public static string GetSubject(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -454,6 +474,7 @@ public static string GetSub(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.Website</description></item>
             /// <item><description>ClaimTypes.Webpage</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Website.</param>
             public static string GetWebsite(this ClaimsPrincipal claimsPrincipal)
@@ -473,6 +494,7 @@ public static string GetWebsite(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.Website</description></item>
             /// <item><description>ClaimTypes.Webpage</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Website.</param>
             public static string GetWebsite(this ClaimsIdentity claimsIdentity)
@@ -491,6 +513,7 @@ public static string GetWebsite(this ClaimsIdentity claimsIdentity)
             /// <item><description>JwtRegisteredClaimNames.UniqueName</description></item>
             /// <item><description>ClaimTypes.Name</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the UniqueName.</param>
             public static string GetUniqueName(this ClaimsPrincipal claimsPrincipal)
@@ -510,6 +533,7 @@ public static string GetUniqueName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>JwtRegisteredClaimNames.UniqueName</description></item>
             /// <item><description>ClaimTypes.Name</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the UniqueName.</param>
             public static string GetUniqueName(this ClaimsIdentity claimsIdentity)
@@ -650,6 +674,7 @@ public static string GetTenantId(this ClaimsIdentity claimsIdentity)
             /// <item><description>"acr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Acr.</param>
             public static string GetAcr(this ClaimsPrincipal claimsPrincipal)
@@ -669,6 +694,7 @@ public static string GetAcr(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"acr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Acr.</param>
             public static string GetAcr(this ClaimsIdentity claimsIdentity)
@@ -687,6 +713,7 @@ public static string GetAcr(this ClaimsIdentity claimsIdentity)
             /// <item><description>"adfs1email"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/EmailAddress"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Adfs1Email.</param>
@@ -707,6 +734,7 @@ public static string GetAdfs1Email(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"adfs1email"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/EmailAddress"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Adfs1Email.</param>
@@ -726,6 +754,7 @@ public static string GetAdfs1Email(this ClaimsIdentity claimsIdentity)
             /// <item><description>"adfs1upn"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/UPN"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Adfs1Upn.</param>
@@ -746,6 +775,7 @@ public static string GetAdfs1Upn(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"adfs1upn"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/UPN"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Adfs1Upn.</param>
@@ -765,6 +795,7 @@ public static string GetAdfs1Upn(this ClaimsIdentity claimsIdentity)
             /// <item><description>"amr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnmethodsreferences"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Amr.</param>
             public static string GetAmr(this ClaimsPrincipal claimsPrincipal)
@@ -784,6 +815,7 @@ public static string GetAmr(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"amr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnmethodsreferences"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Amr.</param>
             public static string GetAmr(this ClaimsIdentity claimsIdentity)
@@ -802,6 +834,7 @@ public static string GetAmr(this ClaimsIdentity claimsIdentity)
             /// <item><description>"authmethod"</description></item>
             /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the AuthMethod.</param>
             public static string GetAuthMethod(this ClaimsPrincipal claimsPrincipal)
@@ -821,6 +854,7 @@ public static string GetAuthMethod(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"authmethod"</description></item>
             /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the AuthMethod.</param>
             public static string GetAuthMethod(this ClaimsIdentity claimsIdentity)
@@ -839,6 +873,7 @@ public static string GetAuthMethod(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certapppolicy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertAppPolicy.</param>
             public static string GetCertAppPolicy(this ClaimsPrincipal claimsPrincipal)
@@ -858,6 +893,7 @@ public static string GetCertAppPolicy(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certapppolicy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertAppPolicy.</param>
             public static string GetCertAppPolicy(this ClaimsIdentity claimsIdentity)
@@ -876,6 +912,7 @@ public static string GetCertAppPolicy(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certauthoritykeyidentifier"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertAuthorityKeyIdentifier.</param>
             public static string GetCertAuthorityKeyIdentifier(this ClaimsPrincipal claimsPrincipal)
@@ -895,6 +932,7 @@ public static string GetCertAuthorityKeyIdentifier(this ClaimsPrincipal claimsPr
             /// <item><description>"certauthoritykeyidentifier"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertAuthorityKeyIdentifier.</param>
             public static string GetCertAuthorityKeyIdentifier(this ClaimsIdentity claimsIdentity)
@@ -908,14 +946,15 @@ public static string GetCertAuthorityKeyIdentifier(this ClaimsIdentity claimsIde
                      "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier");
             }
             /// <summary>
-            /// Returns the first claim corresponding to CertBasicVonstraints claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to CertBasicConstraints claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"certbasicconstraints"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertBasicVonstraints.</param>
-            public static string GetCertBasicVonstraints(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertBasicConstraints.</param>
+            public static string GetCertBasicConstraints(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -927,14 +966,15 @@ public static string GetCertBasicVonstraints(this ClaimsPrincipal claimsPrincipa
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to CertBasicVonstraints claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to CertBasicConstraints claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"certbasicconstraints"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertBasicVonstraints.</param>
-            public static string GetCertBasicVonstraints(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertBasicConstraints.</param>
+            public static string GetCertBasicConstraints(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -950,6 +990,7 @@ public static string GetCertBasicVonstraints(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certeku"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertEku.</param>
             public static string GetCertEku(this ClaimsPrincipal claimsPrincipal)
@@ -969,6 +1010,7 @@ public static string GetCertEku(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certeku"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertEku.</param>
             public static string GetCertEku(this ClaimsIdentity claimsIdentity)
@@ -987,6 +1029,7 @@ public static string GetCertEku(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certissuer"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertIssuer.</param>
             public static string GetCertIssuer(this ClaimsPrincipal claimsPrincipal)
@@ -1006,6 +1049,7 @@ public static string GetCertIssuer(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certissuer"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertIssuer.</param>
             public static string GetCertIssuer(this ClaimsIdentity claimsIdentity)
@@ -1024,6 +1068,7 @@ public static string GetCertIssuer(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certissuername"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertIssuerName.</param>
             public static string GetCertIssuerName(this ClaimsPrincipal claimsPrincipal)
@@ -1043,6 +1088,7 @@ public static string GetCertIssuerName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certissuername"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertIssuerName.</param>
             public static string GetCertIssuerName(this ClaimsIdentity claimsIdentity)
@@ -1061,6 +1107,7 @@ public static string GetCertIssuerName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certkeyusage"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertKeyUsage.</param>
             public static string GetCertKeyUsage(this ClaimsPrincipal claimsPrincipal)
@@ -1080,6 +1127,7 @@ public static string GetCertKeyUsage(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certkeyusage"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertKeyUsage.</param>
             public static string GetCertKeyUsage(this ClaimsIdentity claimsIdentity)
@@ -1098,6 +1146,7 @@ public static string GetCertKeyUsage(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certnotafter"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertNotAfter.</param>
             public static string GetCertNotAfter(this ClaimsPrincipal claimsPrincipal)
@@ -1117,6 +1166,7 @@ public static string GetCertNotAfter(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certnotafter"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertNotAfter.</param>
             public static string GetCertNotAfter(this ClaimsIdentity claimsIdentity)
@@ -1135,6 +1185,7 @@ public static string GetCertNotAfter(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certnotbefore"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertNotBefore.</param>
             public static string GetCertNotBefore(this ClaimsPrincipal claimsPrincipal)
@@ -1154,6 +1205,7 @@ public static string GetCertNotBefore(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certnotbefore"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertNotBefore.</param>
             public static string GetCertNotBefore(this ClaimsIdentity claimsIdentity)
@@ -1172,6 +1224,7 @@ public static string GetCertNotBefore(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certpolicy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertPolicy.</param>
             public static string GetCertPolicy(this ClaimsPrincipal claimsPrincipal)
@@ -1191,6 +1244,7 @@ public static string GetCertPolicy(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certpolicy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertPolicy.</param>
             public static string GetCertPolicy(this ClaimsIdentity claimsIdentity)
@@ -1209,6 +1263,7 @@ public static string GetCertPolicy(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certpublickey"</description></item>
             /// <item><description>ClaimTypes.Rsa</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertPublickey.</param>
             public static string GetCertPublickey(this ClaimsPrincipal claimsPrincipal)
@@ -1228,6 +1283,7 @@ public static string GetCertPublickey(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certpublickey"</description></item>
             /// <item><description>ClaimTypes.Rsa</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertPublickey.</param>
             public static string GetCertPublickey(this ClaimsIdentity claimsIdentity)
@@ -1246,6 +1302,7 @@ public static string GetCertPublickey(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certrawdata"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertRawData.</param>
             public static string GetCertRawData(this ClaimsPrincipal claimsPrincipal)
@@ -1265,6 +1322,7 @@ public static string GetCertRawData(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certrawdata"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertRawData.</param>
             public static string GetCertRawData(this ClaimsIdentity claimsIdentity)
@@ -1283,6 +1341,7 @@ public static string GetCertRawData(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certserialnumber"</description></item>
             /// <item><description>ClaimTypes.SerialNumber</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSerialNumber.</param>
             public static string GetCertSerialNumber(this ClaimsPrincipal claimsPrincipal)
@@ -1302,6 +1361,7 @@ public static string GetCertSerialNumber(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certserialnumber"</description></item>
             /// <item><description>ClaimTypes.SerialNumber</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSerialNumber.</param>
             public static string GetCertSerialNumber(this ClaimsIdentity claimsIdentity)
@@ -1320,6 +1380,7 @@ public static string GetCertSerialNumber(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certsignaturealgorithm"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSignatureAlgorithm.</param>
             public static string GetCertSignatureAlgorithm(this ClaimsPrincipal claimsPrincipal)
@@ -1339,6 +1400,7 @@ public static string GetCertSignatureAlgorithm(this ClaimsPrincipal claimsPrinci
             /// <item><description>"certsignaturealgorithm"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSignatureAlgorithm.</param>
             public static string GetCertSignatureAlgorithm(this ClaimsIdentity claimsIdentity)
@@ -1357,6 +1419,7 @@ public static string GetCertSignatureAlgorithm(this ClaimsIdentity claimsIdentit
             /// <item><description>"certsubject"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubject.</param>
             public static string GetCertSubject(this ClaimsPrincipal claimsPrincipal)
@@ -1376,6 +1439,7 @@ public static string GetCertSubject(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certsubject"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubject.</param>
             public static string GetCertSubject(this ClaimsIdentity claimsIdentity)
@@ -1394,6 +1458,7 @@ public static string GetCertSubject(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certsubjectaltname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectAltName.</param>
             public static string GetCertSubjectAltName(this ClaimsPrincipal claimsPrincipal)
@@ -1413,6 +1478,7 @@ public static string GetCertSubjectAltName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certsubjectaltname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectAltName.</param>
             public static string GetCertSubjectAltName(this ClaimsIdentity claimsIdentity)
@@ -1431,6 +1497,7 @@ public static string GetCertSubjectAltName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certsubjectkeyidentifier"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectKeyIdentifier.</param>
             public static string GetCertSubjectKeyIdentifier(this ClaimsPrincipal claimsPrincipal)
@@ -1450,6 +1517,7 @@ public static string GetCertSubjectKeyIdentifier(this ClaimsPrincipal claimsPrin
             /// <item><description>"certsubjectkeyidentifier"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectKeyIdentifier.</param>
             public static string GetCertSubjectKeyIdentifier(this ClaimsIdentity claimsIdentity)
@@ -1468,6 +1536,7 @@ public static string GetCertSubjectKeyIdentifier(this ClaimsIdentity claimsIdent
             /// <item><description>"certsubjectname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertSubjectName.</param>
             public static string GetCertSubjectName(this ClaimsPrincipal claimsPrincipal)
@@ -1487,6 +1556,7 @@ public static string GetCertSubjectName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certsubjectname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertSubjectName.</param>
             public static string GetCertSubjectName(this ClaimsIdentity claimsIdentity)
@@ -1505,6 +1575,7 @@ public static string GetCertSubjectName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certtemplateinformation"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertTemplateInformation.</param>
             public static string GetCertTemplateInformation(this ClaimsPrincipal claimsPrincipal)
@@ -1524,6 +1595,7 @@ public static string GetCertTemplateInformation(this ClaimsPrincipal claimsPrinc
             /// <item><description>"certtemplateinformation"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertTemplateInformation.</param>
             public static string GetCertTemplateInformation(this ClaimsIdentity claimsIdentity)
@@ -1542,6 +1614,7 @@ public static string GetCertTemplateInformation(this ClaimsIdentity claimsIdenti
             /// <item><description>"certtemplatename"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertTemplateName.</param>
             public static string GetCertTemplateName(this ClaimsPrincipal claimsPrincipal)
@@ -1561,6 +1634,7 @@ public static string GetCertTemplateName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certtemplatename"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertTemplateName.</param>
             public static string GetCertTemplateName(this ClaimsIdentity claimsIdentity)
@@ -1579,6 +1653,7 @@ public static string GetCertTemplateName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certthumbprint"</description></item>
             /// <item><description>ClaimTypes.Thumbprint</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertThumbprint.</param>
             public static string GetCertThumbprint(this ClaimsPrincipal claimsPrincipal)
@@ -1598,6 +1673,7 @@ public static string GetCertThumbprint(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certthumbprint"</description></item>
             /// <item><description>ClaimTypes.Thumbprint</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertThumbprint.</param>
             public static string GetCertThumbprint(this ClaimsIdentity claimsIdentity)
@@ -1616,6 +1692,7 @@ public static string GetCertThumbprint(this ClaimsIdentity claimsIdentity)
             /// <item><description>"certx509version"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CertX509Version.</param>
             public static string GetCertX509Version(this ClaimsPrincipal claimsPrincipal)
@@ -1635,6 +1712,7 @@ public static string GetCertX509Version(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"certx509version"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CertX509Version.</param>
             public static string GetCertX509Version(this ClaimsIdentity claimsIdentity)
@@ -1692,6 +1770,7 @@ public static string GetClientApplication(this ClaimsIdentity claimsIdentity)
             /// <item><description>"clientip"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ClientIp.</param>
@@ -1712,6 +1791,7 @@ public static string GetClientIp(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"clientip"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ClientIp.</param>
@@ -1731,6 +1811,7 @@ public static string GetClientIp(this ClaimsIdentity claimsIdentity)
             /// <item><description>"clientuseragent"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ClientUserAgent.</param>
             public static string GetClientUserAgent(this ClaimsPrincipal claimsPrincipal)
@@ -1750,6 +1831,7 @@ public static string GetClientUserAgent(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"clientuseragent"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ClientUserAgent.</param>
             public static string GetClientUserAgent(this ClaimsIdentity claimsIdentity)
@@ -1768,6 +1850,7 @@ public static string GetClientUserAgent(this ClaimsIdentity claimsIdentity)
             /// <item><description>"commonname"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/CommonName"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the CommonName.</param>
@@ -1788,6 +1871,7 @@ public static string GetCommonName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"commonname"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/CommonName"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the CommonName.</param>
@@ -1807,6 +1891,7 @@ public static string GetCommonName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"denyonlyprimarygroupsid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlyPrimaryGroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlyPrimaryGroupSid.</param>
             public static string GetDenyOnlyPrimaryGroupSid(this ClaimsPrincipal claimsPrincipal)
@@ -1826,6 +1911,7 @@ public static string GetDenyOnlyPrimaryGroupSid(this ClaimsPrincipal claimsPrinc
             /// <item><description>"denyonlyprimarygroupsid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlyPrimaryGroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlyPrimaryGroupSid.</param>
             public static string GetDenyOnlyPrimaryGroupSid(this ClaimsIdentity claimsIdentity)
@@ -1844,6 +1930,7 @@ public static string GetDenyOnlyPrimaryGroupSid(this ClaimsIdentity claimsIdenti
             /// <item><description>"denyonlyprimarysid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlyPrimarySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlyPrimarySid.</param>
             public static string GetDenyOnlyPrimarySid(this ClaimsPrincipal claimsPrincipal)
@@ -1863,6 +1950,7 @@ public static string GetDenyOnlyPrimarySid(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"denyonlyprimarysid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlyPrimarySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlyPrimarySid.</param>
             public static string GetDenyOnlyPrimarySid(this ClaimsIdentity claimsIdentity)
@@ -1881,6 +1969,7 @@ public static string GetDenyOnlyPrimarySid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"denyonlysid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DenyOnlySid.</param>
             public static string GetDenyOnlySid(this ClaimsPrincipal claimsPrincipal)
@@ -1900,6 +1989,7 @@ public static string GetDenyOnlySid(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"denyonlysid"</description></item>
             /// <item><description>ClaimTypes.DenyOnlySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DenyOnlySid.</param>
             public static string GetDenyOnlySid(this ClaimsIdentity claimsIdentity)
@@ -1918,6 +2008,7 @@ public static string GetDenyOnlySid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"devicedispname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DevicedIspName.</param>
             public static string GetDevicedIspName(this ClaimsPrincipal claimsPrincipal)
@@ -1937,6 +2028,7 @@ public static string GetDevicedIspName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"devicedispname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DevicedIspName.</param>
             public static string GetDevicedIspName(this ClaimsIdentity claimsIdentity)
@@ -1955,6 +2047,7 @@ public static string GetDevicedIspName(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceId.</param>
             public static string GetDeviceId(this ClaimsPrincipal claimsPrincipal)
@@ -1974,6 +2067,7 @@ public static string GetDeviceId(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceId.</param>
             public static string GetDeviceId(this ClaimsIdentity claimsIdentity)
@@ -1992,6 +2086,7 @@ public static string GetDeviceId(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceismanaged"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceIsManaged.</param>
             public static string GetDeviceIsManaged(this ClaimsPrincipal claimsPrincipal)
@@ -2011,6 +2106,7 @@ public static string GetDeviceIsManaged(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceismanaged"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceIsManaged.</param>
             public static string GetDeviceIsManaged(this ClaimsIdentity claimsIdentity)
@@ -2029,6 +2125,7 @@ public static string GetDeviceIsManaged(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceostype"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOsType.</param>
             public static string GetDeviceOsType(this ClaimsPrincipal claimsPrincipal)
@@ -2048,6 +2145,7 @@ public static string GetDeviceOsType(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceostype"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOsType.</param>
             public static string GetDeviceOsType(this ClaimsIdentity claimsIdentity)
@@ -2066,6 +2164,7 @@ public static string GetDeviceOsType(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceosver"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOsVer.</param>
             public static string GetDeviceOsVer(this ClaimsPrincipal claimsPrincipal)
@@ -2085,6 +2184,7 @@ public static string GetDeviceOsVer(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceosver"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOsVer.</param>
             public static string GetDeviceOsVer(this ClaimsIdentity claimsIdentity)
@@ -2103,6 +2203,7 @@ public static string GetDeviceOsVer(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceowner"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOwner.</param>
             public static string GetDeviceOwner(this ClaimsPrincipal claimsPrincipal)
@@ -2122,6 +2223,7 @@ public static string GetDeviceOwner(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceowner"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOwner.</param>
             public static string GetDeviceOwner(this ClaimsIdentity claimsIdentity)
@@ -2140,6 +2242,7 @@ public static string GetDeviceOwner(this ClaimsIdentity claimsIdentity)
             /// <item><description>"deviceregid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceRegId.</param>
             public static string GetDeviceRegId(this ClaimsPrincipal claimsPrincipal)
@@ -2159,6 +2262,7 @@ public static string GetDeviceRegId(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"deviceregid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceRegId.</param>
             public static string GetDeviceRegId(this ClaimsIdentity claimsIdentity)
@@ -2177,6 +2281,7 @@ public static string GetDeviceRegId(this ClaimsIdentity claimsIdentity)
             /// <item><description>"endpointpath"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the EndpointPath.</param>
             public static string GetEndpointPath(this ClaimsPrincipal claimsPrincipal)
@@ -2196,6 +2301,7 @@ public static string GetEndpointPath(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"endpointpath"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the EndpointPath.</param>
             public static string GetEndpointPath(this ClaimsIdentity claimsIdentity)
@@ -2214,6 +2320,7 @@ public static string GetEndpointPath(this ClaimsIdentity claimsIdentity)
             /// <item><description>"forwardedclientip"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ForwardedClientIp.</param>
             public static string GetForwardedClientIp(this ClaimsPrincipal claimsPrincipal)
@@ -2233,6 +2340,7 @@ public static string GetForwardedClientIp(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"forwardedclientip"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ForwardedClientIp.</param>
             public static string GetForwardedClientIp(this ClaimsIdentity claimsIdentity)
@@ -2251,6 +2359,7 @@ public static string GetForwardedClientIp(this ClaimsIdentity claimsIdentity)
             /// <item><description>"group"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/Group"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims principal from which to get the Group.</param>
             public static IEnumerable<string> GetGroup(this ClaimsPrincipal claimsPrincipal)
@@ -2270,6 +2379,7 @@ public static IEnumerable<string> GetGroup(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"group"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/claims/Group"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Group.</param>
             public static IEnumerable<string> GetGroup(this ClaimsIdentity claimsIdentity)
@@ -2289,6 +2399,7 @@ public static IEnumerable<string> GetGroup(this ClaimsIdentity claimsIdentity)
             /// <item><description>"groupsid"</description></item>
             /// <item><description>ClaimTypes.GroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims principal from which to get the GroupsId.</param>
             public static IEnumerable<string> GetGroupsId(this ClaimsPrincipal claimsPrincipal)
@@ -2308,6 +2419,7 @@ public static IEnumerable<string> GetGroupsId(this ClaimsPrincipal claimsPrincip
             /// <item><description>"groupsid"</description></item>
             /// <item><description>ClaimTypes.GroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the GroupsId.</param>
             public static IEnumerable<string> GetGroupsId(this ClaimsIdentity claimsIdentity)
@@ -2322,13 +2434,14 @@ public static IEnumerable<string> GetGroupsId(this ClaimsIdentity claimsIdentity
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to IdTyp claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to TokenType claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"idtyp"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IdTyp.</param>
-            public static string GetIdTyp(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the TokenType.</param>
+            public static string GetTokenType(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2339,13 +2452,14 @@ public static string GetIdTyp(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to IdTyp claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to TokenType claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"idtyp"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IdTyp.</param>
-            public static string GetIdTyp(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the TokenType.</param>
+            public static string GetTokenType(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2360,6 +2474,7 @@ public static string GetIdTyp(this ClaimsIdentity claimsIdentity)
             /// <item><description>"idp"</description></item>
             /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Idp.</param>
             public static string GetIdp(this ClaimsPrincipal claimsPrincipal)
@@ -2379,6 +2494,7 @@ public static string GetIdp(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"idp"</description></item>
             /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Idp.</param>
             public static string GetIdp(this ClaimsIdentity claimsIdentity)
@@ -2397,6 +2513,7 @@ public static string GetIdp(this ClaimsIdentity claimsIdentity)
             /// <item><description>"insidecorporatenetwork"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the InsideCorporateNetwork.</param>
             public static string GetInsideCorporateNetwork(this ClaimsPrincipal claimsPrincipal)
@@ -2416,6 +2533,7 @@ public static string GetInsideCorporateNetwork(this ClaimsPrincipal claimsPrinci
             /// <item><description>"insidecorporatenetwork"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the InsideCorporateNetwork.</param>
             public static string GetInsideCorporateNetwork(this ClaimsIdentity claimsIdentity)
@@ -2434,6 +2552,7 @@ public static string GetInsideCorporateNetwork(this ClaimsIdentity claimsIdentit
             /// <item><description>"isregistereduser"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsRegisteredUser.</param>
             public static string GetIsRegisteredUser(this ClaimsPrincipal claimsPrincipal)
@@ -2453,6 +2572,7 @@ public static string GetIsRegisteredUser(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"isregistereduser"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsRegisteredUser.</param>
             public static string GetIsRegisteredUser(this ClaimsIdentity claimsIdentity)
@@ -2470,6 +2590,7 @@ public static string GetIsRegisteredUser(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"login_hint"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the LoginHint.</param>
             public static string GetLoginHint(this ClaimsPrincipal claimsPrincipal)
@@ -2487,6 +2608,7 @@ public static string GetLoginHint(this ClaimsPrincipal claimsPrincipal)
             /// <list type="bullet">
             /// <item><description>"login_hint"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the LoginHint.</param>
             public static string GetLoginHint(this ClaimsIdentity claimsIdentity)
@@ -2504,6 +2626,7 @@ public static string GetLoginHint(this ClaimsIdentity claimsIdentity)
             /// <item><description>"ppid"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Ppid.</param>
             public static string GetPpid(this ClaimsPrincipal claimsPrincipal)
@@ -2523,6 +2646,7 @@ public static string GetPpid(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"ppid"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Ppid.</param>
             public static string GetPpid(this ClaimsIdentity claimsIdentity)
@@ -2536,14 +2660,15 @@ public static string GetPpid(this ClaimsIdentity claimsIdentity)
                      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier");
             }
             /// <summary>
-            /// Returns the first claim corresponding to Primarygroupsid claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to PrimaryGroupSid claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"primarygroupsid"</description></item>
             /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Primarygroupsid.</param>
-            public static string GetPrimarygroupsid(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PrimaryGroupSid.</param>
+            public static string GetPrimaryGroupSid(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2555,14 +2680,15 @@ public static string GetPrimarygroupsid(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Primarygroupsid claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to PrimaryGroupSid claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"primarygroupsid"</description></item>
             /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Primarygroupsid.</param>
-            public static string GetPrimarygroupsid(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PrimaryGroupSid.</param>
+            public static string GetPrimaryGroupSid(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2573,14 +2699,15 @@ public static string GetPrimarygroupsid(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.PrimaryGroupSid);
             }
             /// <summary>
-            /// Returns the first claim corresponding to Primarysid claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to PrimarySid claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"primarysid"</description></item>
             /// <item><description>ClaimTypes.PrimarySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Primarysid.</param>
-            public static string GetPrimarysid(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PrimarySid.</param>
+            public static string GetPrimarySid(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2592,14 +2719,15 @@ public static string GetPrimarysid(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Primarysid claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to PrimarySid claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"primarysid"</description></item>
             /// <item><description>ClaimTypes.PrimarySid</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Primarysid.</param>
-            public static string GetPrimarysid(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PrimarySid.</param>
+            public static string GetPrimarySid(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2615,6 +2743,7 @@ public static string GetPrimarysid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"proxy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Proxy.</param>
             public static string GetProxy(this ClaimsPrincipal claimsPrincipal)
@@ -2634,6 +2763,7 @@ public static string GetProxy(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"proxy"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Proxy.</param>
             public static string GetProxy(this ClaimsIdentity claimsIdentity)
@@ -2652,6 +2782,7 @@ public static string GetProxy(this ClaimsIdentity claimsIdentity)
             /// <item><description>"pwdchgurl"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdChgEndpoint.</param>
             public static string GetPwdChgEndpoint(this ClaimsPrincipal claimsPrincipal)
@@ -2671,6 +2802,7 @@ public static string GetPwdChgEndpoint(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"pwdchgurl"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdChgEndpoint.</param>
             public static string GetPwdChgEndpoint(this ClaimsIdentity claimsIdentity)
@@ -2689,6 +2821,7 @@ public static string GetPwdChgEndpoint(this ClaimsIdentity claimsIdentity)
             /// <item><description>"pwdexpdays"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdExpDays.</param>
             public static string GetPwdExpDays(this ClaimsPrincipal claimsPrincipal)
@@ -2708,6 +2841,7 @@ public static string GetPwdExpDays(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"pwdexpdays"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdExpDays.</param>
             public static string GetPwdExpDays(this ClaimsIdentity claimsIdentity)
@@ -2726,6 +2860,7 @@ public static string GetPwdExpDays(this ClaimsIdentity claimsIdentity)
             /// <item><description>"pwdexptime"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PwdExpTime.</param>
             public static string GetPwdExpTime(this ClaimsPrincipal claimsPrincipal)
@@ -2745,6 +2880,7 @@ public static string GetPwdExpTime(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"pwdexptime"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PwdExpTime.</param>
             public static string GetPwdExpTime(this ClaimsIdentity claimsIdentity)
@@ -2763,6 +2899,7 @@ public static string GetPwdExpTime(this ClaimsIdentity claimsIdentity)
             /// <item><description>"relyingpartytrustid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the RelyingPartyTrustId.</param>
             public static string GetRelyingPartyTrustId(this ClaimsPrincipal claimsPrincipal)
@@ -2782,6 +2919,7 @@ public static string GetRelyingPartyTrustId(this ClaimsPrincipal claimsPrincipal
             /// <item><description>"relyingpartytrustid"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the RelyingPartyTrustId.</param>
             public static string GetRelyingPartyTrustId(this ClaimsIdentity claimsIdentity)
@@ -2843,6 +2981,7 @@ public static IEnumerable<string> GetRole(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"sid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Sid.</param>
             public static string GetSid(this ClaimsPrincipal claimsPrincipal)
@@ -2860,6 +2999,7 @@ public static string GetSid(this ClaimsPrincipal claimsPrincipal)
             /// <list type="bullet">
             /// <item><description>"sid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Sid.</param>
             public static string GetSid(this ClaimsIdentity claimsIdentity)
@@ -2877,6 +3017,7 @@ public static string GetSid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"upn"</description></item>
             /// <item><description>ClaimTypes.Upn</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Upn.</param>
             public static string GetUpn(this ClaimsPrincipal claimsPrincipal)
@@ -2896,6 +3037,7 @@ public static string GetUpn(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"upn"</description></item>
             /// <item><description>ClaimTypes.Upn</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Upn.</param>
             public static string GetUpn(this ClaimsIdentity claimsIdentity)
@@ -2909,14 +3051,15 @@ public static string GetUpn(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.Upn);
             }
             /// <summary>
-            /// Returns the first claim corresponding to Winaccountname claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to WinAccountName claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"winaccountname"</description></item>
             /// <item><description>ClaimTypes.WindowsAccountName</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Winaccountname.</param>
-            public static string GetWinaccountname(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the WinAccountName.</param>
+            public static string GetWinAccountName(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2928,14 +3071,15 @@ public static string GetWinaccountname(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Winaccountname claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to WinAccountName claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"winaccountname"</description></item>
             /// <item><description>ClaimTypes.WindowsAccountName</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Winaccountname.</param>
-            public static string GetWinaccountname(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the WinAccountName.</param>
+            public static string GetWinAccountName(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2950,6 +3094,7 @@ public static string GetWinaccountname(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"verified_primary_email"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VerifiedPrimaryEmail.</param>
@@ -2968,6 +3113,7 @@ public static string GetVerifiedPrimaryEmail(this ClaimsPrincipal claimsPrincipa
             /// <list type="bullet">
             /// <item><description>"verified_primary_email"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VerifiedPrimaryEmail.</param>
@@ -2985,6 +3131,7 @@ public static string GetVerifiedPrimaryEmail(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"verified_secondary_email"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VerifiedSecondaryEmail.</param>
@@ -3003,6 +3150,7 @@ public static string GetVerifiedSecondaryEmail(this ClaimsPrincipal claimsPrinci
             /// <list type="bullet">
             /// <item><description>"verified_secondary_email"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VerifiedSecondaryEmail.</param>
@@ -3020,6 +3168,7 @@ public static string GetVerifiedSecondaryEmail(this ClaimsIdentity claimsIdentit
             /// <list type="bullet">
             /// <item><description>"vnet"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the VNet.</param>
             public static string GetVNet(this ClaimsPrincipal claimsPrincipal)
@@ -3037,6 +3186,7 @@ public static string GetVNet(this ClaimsPrincipal claimsPrincipal)
             /// <list type="bullet">
             /// <item><description>"vnet"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the VNet.</param>
             public static string GetVNet(this ClaimsIdentity claimsIdentity)
@@ -3053,6 +3203,7 @@ public static string GetVNet(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"xms_pdl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PreferedDataLocation.</param>
             public static string GetPreferedDataLocation(this ClaimsPrincipal claimsPrincipal)
@@ -3070,6 +3221,7 @@ public static string GetPreferedDataLocation(this ClaimsPrincipal claimsPrincipa
             /// <list type="bullet">
             /// <item><description>"xms_pdl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PreferedDataLocation.</param>
             public static string GetPreferedDataLocation(this ClaimsIdentity claimsIdentity)
@@ -3086,6 +3238,7 @@ public static string GetPreferedDataLocation(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"xms_tpl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the UserPreferedLanguage.</param>
             public static string GetUserPreferedLanguage(this ClaimsPrincipal claimsPrincipal)
@@ -3103,6 +3256,7 @@ public static string GetUserPreferedLanguage(this ClaimsPrincipal claimsPrincipa
             /// <list type="bullet">
             /// <item><description>"xms_tpl"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the UserPreferedLanguage.</param>
             public static string GetUserPreferedLanguage(this ClaimsIdentity claimsIdentity)
@@ -3119,6 +3273,7 @@ public static string GetUserPreferedLanguage(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"ztdid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the ZeroTouchDeploymentId.</param>
             public static string GetZeroTouchDeploymentId(this ClaimsPrincipal claimsPrincipal)
@@ -3136,6 +3291,7 @@ public static string GetZeroTouchDeploymentId(this ClaimsPrincipal claimsPrincip
             /// <list type="bullet">
             /// <item><description>"ztdid"</description></item>
             /// </list>
+            /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the ZeroTouchDeploymentId.</param>
             public static string GetZeroTouchDeploymentId(this ClaimsIdentity claimsIdentity)
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
index a861dd59ec..63ce45c66d 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
@@ -64,13 +64,8 @@ namespace System.IdentityModel.Tokens.Jwt
      }
 #>
             /// </list>
+            /// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
 <#
-     if (c.IsUsableInAuthorizationPolicies)
-     {
-#>
-            /// This method returns information that is safe to use for authorization.
-<#
-     }
      if (!string.IsNullOrEmpty(c.PrivacyCategory))
      {
 #>
@@ -102,13 +97,8 @@ namespace System.IdentityModel.Tokens.Jwt
      }
 #>
             /// </list>
+            /// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
 <#
-     if (c.IsUsableInAuthorizationPolicies)
-     {
-#>
-            /// This method returns information that is safe to use for authorization.
-<#
-     }
      if (!string.IsNullOrEmpty(c.PrivacyCategory))
      {
 #>
@@ -145,13 +135,8 @@ namespace System.IdentityModel.Tokens.Jwt
      }
 #>
             /// </list>
+            /// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
 <#
-     if (c.IsUsableInAuthorizationPolicies)
-     {
-#>
-            /// This method returns information that is safe to use for authorization.
-<#
-     }
      if (!string.IsNullOrEmpty(c.PrivacyCategory))
      {
 #>
@@ -183,13 +168,8 @@ namespace System.IdentityModel.Tokens.Jwt
      }
 #>
             /// </list>
+            /// This method returns information that is <#= c.IsUsableInAuthorizationPolicies ? string.Empty : "NOT " #>safe to use for authorization.
 <#
-     if (c.IsUsableInAuthorizationPolicies)
-     {
-#>
-            /// This method returns information that is safe to use for authorization.
-<#
-     }
      if (!string.IsNullOrEmpty(c.PrivacyCategory))
      {
 #>
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
index f295664222..b99185669a 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
@@ -9,8 +9,8 @@ string | GetEmail | False | EUII | JwtRegisteredClaimNames.Email<BR/> ClaimTypes
 string | GetFamilyName | False | EUII | JwtRegisteredClaimNames.FamilyName<BR/> ClaimTypes.Surname
 string | GetGender | False | EUII | JwtRegisteredClaimNames.Gender<BR/> ClaimTypes.Gender
 string | GetGivenName | False | EUII | JwtRegisteredClaimNames.GivenName<BR/> ClaimTypes.GivenName
-string | GetNameid | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
-string | GetSub | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
+string | GetNameId | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
+string | GetSubject | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
 string | GetWebsite | False |  | JwtRegisteredClaimNames.Website<BR/> ClaimTypes.Webpage
 string | GetUniqueName | False |  | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
 string | GetObjectId | True | EUPI | "oid"<BR/> "http://schemas.microsoft.com/identity/claims/objectidentifier"
@@ -23,7 +23,7 @@ string | GetAmr | False |  | "amr"<BR/> "http://schemas.microsoft.com/claims/aut
 string | GetAuthMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
 string | GetCertAppPolicy | False |  | "certapppolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"
 string | GetCertAuthorityKeyIdentifier | False |  | "certauthoritykeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"
-string | GetCertBasicVonstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
+string | GetCertBasicConstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
 string | GetCertEku | False |  | "certeku"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"
 string | GetCertIssuer | False |  | "certissuer"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"
 string | GetCertIssuerName | False |  | "certissuername"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"
@@ -61,13 +61,13 @@ string | GetEndpointPath | False |  | "endpointpath"<BR/> "http://schemas.micros
 string | GetForwardedClientIp | False |  | "forwardedclientip"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"
 IEnumerable<string> | GetGroup | False |  | "group"<BR/> "http://schemas.xmlsoap.org/claims/Group"
 IEnumerable<string> | GetGroupsId | False |  | "groupsid"<BR/> ClaimTypes.GroupSid
-string | GetIdTyp | False |  | "idtyp"
+string | GetTokenType | False |  | "idtyp"
 string | GetIdp | False |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
 string | GetInsideCorporateNetwork | False |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
 string | GetIsRegisteredUser | False |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
 string | GetPpid | False |  | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
-string | GetPrimarygroupsid | False |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
-string | GetPrimarysid | False |  | "primarysid"<BR/> ClaimTypes.PrimarySid
+string | GetPrimaryGroupSid | False |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
+string | GetPrimarySid | False |  | "primarysid"<BR/> ClaimTypes.PrimarySid
 string | GetProxy | False |  | "proxy"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"
 string | GetPwdChgEndpoint | False |  | "pwdchgurl"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
 string | GetPwdExpDays | False |  | "pwdexpdays"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"
@@ -76,7 +76,7 @@ string | GetRelyingPartyTrustId | False |  | "relyingpartytrustid"<BR/> "http://
 IEnumerable<string> | GetRole | True |  | "role"<BR/> "roles"<BR/> ClaimTypes.Role
 string | GetSid | False |  | "sid"
 string | GetUpn | False |  | "upn"<BR/> ClaimTypes.Upn
-string | GetWinaccountname | False |  | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
+string | GetWinAccountName | False |  | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
 string | GetVerifiedPrimaryEmail | False | EUPI | "verified_primary_email"
 string | GetVerifiedSecondaryEmail | False | EUPI | "verified_secondary_email"
 string | GetVNet | False |  | "vnet"
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
index 971c7434c2..666dca29ba 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
@@ -62,8 +62,8 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("FamilyName", false, false, true, "EUII", "ClaimTypes.Surname", "JwtRegisteredClaimNames.FamilyName"),
         new ClaimsKnowledge("Gender", false, false, true, "EUII", "ClaimTypes.Gender", "JwtRegisteredClaimNames.Gender"),
         new ClaimsKnowledge("GivenName", false, false, true, "EUII", "ClaimTypes.GivenName", "JwtRegisteredClaimNames.GivenName"),
-        new ClaimsKnowledge("Nameid", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.NameId"),
-        new ClaimsKnowledge("Sub", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.Sub"),
+        new ClaimsKnowledge("NameId", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.NameId"),
+        new ClaimsKnowledge("Subject", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.Sub"),
         new ClaimsKnowledge("Website", false, false, true, "", "ClaimTypes.Webpage", "JwtRegisteredClaimNames.Website"),
         new ClaimsKnowledge("UniqueName", false, false, true, "", "ClaimTypes.Name", "JwtRegisteredClaimNames.UniqueName"),
         new ClaimsKnowledge("ObjectId", false, true, true, "EUPI", "\"http://schemas.microsoft.com/identity/claims/objectidentifier\"", "\"oid\""),
@@ -76,7 +76,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("AuthMethod", false, false, true, "", "ClaimTypes.AuthenticationMethod", "\"authmethod\""),
         new ClaimsKnowledge("CertAppPolicy", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy\"", "\"certapppolicy\""),
         new ClaimsKnowledge("CertAuthorityKeyIdentifier", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier\"", "\"certauthoritykeyidentifier\""),
-        new ClaimsKnowledge("CertBasicVonstraints", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints\"", "\"certbasicconstraints\""),
+        new ClaimsKnowledge("CertBasicConstraints", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints\"", "\"certbasicconstraints\""),
         new ClaimsKnowledge("CertEku", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku\"", "\"certeku\""),
         new ClaimsKnowledge("CertIssuer", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer\"", "\"certissuer\""),
         new ClaimsKnowledge("CertIssuerName", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername\"", "\"certissuername\""),
@@ -114,14 +114,14 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("ForwardedClientIp", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip\"", "\"forwardedclientip\""),
         new ClaimsKnowledge("Group", true, false, true, "", "\"http://schemas.xmlsoap.org/claims/Group\"", "\"group\""),
         new ClaimsKnowledge("GroupsId", true, false, true, "", "ClaimTypes.GroupSid", "\"groupsid\""),
-        new ClaimsKnowledge("IdTyp", false, false, true, "", "\"idtyp\""),
+        new ClaimsKnowledge("TokenType", false, false, true, "", "\"idtyp\""),
         new ClaimsKnowledge("Idp", false, false, true, "", "\"http://schemas.microsoft.com/identity/claims/identityprovider\"", "\"idp\""),
         new ClaimsKnowledge("InsideCorporateNetwork", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork\"", "\"insidecorporatenetwork\""),
         new ClaimsKnowledge("IsRegisteredUser", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser\"", "\"isregistereduser\""),
         new ClaimsKnowledge("LoginHint", false, false, false, "", "\"login_hint\""),
         new ClaimsKnowledge("Ppid", false, false, true, "", "\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier\"", "\"ppid\""),
-        new ClaimsKnowledge("Primarygroupsid", false, false, true, "", "ClaimTypes.PrimaryGroupSid", "\"primarygroupsid\""),
-        new ClaimsKnowledge("Primarysid", false, false, true, "", "ClaimTypes.PrimarySid", "\"primarysid\""),
+        new ClaimsKnowledge("PrimaryGroupSid", false, false, true, "", "ClaimTypes.PrimaryGroupSid", "\"primarygroupsid\""),
+        new ClaimsKnowledge("PrimarySid", false, false, true, "", "ClaimTypes.PrimarySid", "\"primarysid\""),
         new ClaimsKnowledge("Proxy", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy\"", "\"proxy\""),
         new ClaimsKnowledge("PwdChgEndpoint", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl\"", "\"pwdchgurl\""),
         new ClaimsKnowledge("PwdExpDays", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays\"", "\"pwdexpdays\""),
@@ -130,7 +130,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("Role", true, true, true, "", "ClaimTypes.Role", "\"role\"", "\"roles\""),
         new ClaimsKnowledge("Sid", false, false, true, "", "\"sid\""),
         new ClaimsKnowledge("Upn", false, false, true, "", "ClaimTypes.Upn", "\"upn\""),
-        new ClaimsKnowledge("Winaccountname", false, false, true, "", "ClaimTypes.WindowsAccountName", "\"winaccountname\""),
+        new ClaimsKnowledge("WinAccountName", false, false, true, "", "ClaimTypes.WindowsAccountName", "\"winaccountname\""),
         new ClaimsKnowledge("VerifiedPrimaryEmail", false, false, true, "EUPI", "\"verified_primary_email\""),
         new ClaimsKnowledge("VerifiedSecondaryEmail", false, false, true, "EUPI", "\"verified_secondary_email\""),
         new ClaimsKnowledge("VNet", false, false, true, "", "\"vnet\""),
diff --git a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
index dc3bee71fb..4eaa3d5f59 100644
--- a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
+++ b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
@@ -15,14 +15,6 @@
     <DebugSymbols>true</DebugSymbols>
   </PropertyGroup>
 
-  <ItemGroup>
-    <Compile Include="ClaimsAccessorsDoc.md">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
-    </Compile>
-  </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">
       <PrivateAssets>all</PrivateAssets>

From 54972e45321a422e856b56753309f3ac7e753ced Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Fri, 25 Mar 2022 09:15:21 -0700
Subject: [PATCH 07/13] Addressing Kalyan's PR feeedback

---
 .../ClaimTypeAccessor.gen.cs                  | 68 +++++++++++--------
 .../ClaimsKnowledge.tti                       | 22 +++---
 2 files changed, 49 insertions(+), 41 deletions(-)

diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
index 654e1a2aca..70dff82a14 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
@@ -514,6 +514,7 @@ public static string GetWebsite(this ClaimsIdentity claimsIdentity)
             /// <item><description>ClaimTypes.Name</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the UniqueName.</param>
             public static string GetUniqueName(this ClaimsPrincipal claimsPrincipal)
@@ -534,6 +535,7 @@ public static string GetUniqueName(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>ClaimTypes.Name</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the UniqueName.</param>
             public static string GetUniqueName(this ClaimsIdentity claimsIdentity)
@@ -829,15 +831,15 @@ public static string GetAmr(this ClaimsIdentity claimsIdentity)
                      "http://schemas.microsoft.com/claims/authnmethodsreferences");
             }
             /// <summary>
-            /// Returns the first claim corresponding to AuthMethod claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to AuthenticationMethod claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"authmethod"</description></item>
             /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the AuthMethod.</param>
-            public static string GetAuthMethod(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the AuthenticationMethod.</param>
+            public static string GetAuthenticationMethod(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -849,15 +851,15 @@ public static string GetAuthMethod(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to AuthMethod claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to AuthenticationMethod claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"authmethod"</description></item>
             /// <item><description>ClaimTypes.AuthenticationMethod</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the AuthMethod.</param>
-            public static string GetAuthMethod(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the AuthenticationMethod.</param>
+            public static string GetAuthenticationMethod(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2474,7 +2476,7 @@ public static string GetTokenType(this ClaimsIdentity claimsIdentity)
             /// <item><description>"idp"</description></item>
             /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Idp.</param>
             public static string GetIdp(this ClaimsPrincipal claimsPrincipal)
@@ -2494,7 +2496,7 @@ public static string GetIdp(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"idp"</description></item>
             /// <item><description>"http://schemas.microsoft.com/identity/claims/identityprovider"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Idp.</param>
             public static string GetIdp(this ClaimsIdentity claimsIdentity)
@@ -2513,7 +2515,7 @@ public static string GetIdp(this ClaimsIdentity claimsIdentity)
             /// <item><description>"insidecorporatenetwork"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the InsideCorporateNetwork.</param>
             public static string GetInsideCorporateNetwork(this ClaimsPrincipal claimsPrincipal)
@@ -2533,7 +2535,7 @@ public static string GetInsideCorporateNetwork(this ClaimsPrincipal claimsPrinci
             /// <item><description>"insidecorporatenetwork"</description></item>
             /// <item><description>"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the InsideCorporateNetwork.</param>
             public static string GetInsideCorporateNetwork(this ClaimsIdentity claimsIdentity)
@@ -2552,7 +2554,7 @@ public static string GetInsideCorporateNetwork(this ClaimsIdentity claimsIdentit
             /// <item><description>"isregistereduser"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsRegisteredUser.</param>
             public static string GetIsRegisteredUser(this ClaimsPrincipal claimsPrincipal)
@@ -2572,7 +2574,7 @@ public static string GetIsRegisteredUser(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"isregistereduser"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsRegisteredUser.</param>
             public static string GetIsRegisteredUser(this ClaimsIdentity claimsIdentity)
@@ -2621,15 +2623,16 @@ public static string GetLoginHint(this ClaimsIdentity claimsIdentity)
                      "login_hint");
             }
             /// <summary>
-            /// Returns the first claim corresponding to Ppid claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to PrivatePersonalIdentifier claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"ppid"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Ppid.</param>
-            public static string GetPpid(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PrivatePersonalIdentifier.</param>
+            public static string GetPrivatePersonalIdentifier(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2641,15 +2644,16 @@ public static string GetPpid(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Ppid claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to PrivatePersonalIdentifier claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"ppid"</description></item>
             /// <item><description>"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Ppid.</param>
-            public static string GetPpid(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PrivatePersonalIdentifier.</param>
+            public static string GetPrivatePersonalIdentifier(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2665,7 +2669,7 @@ public static string GetPpid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"primarygroupsid"</description></item>
             /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PrimaryGroupSid.</param>
             public static string GetPrimaryGroupSid(this ClaimsPrincipal claimsPrincipal)
@@ -2685,7 +2689,7 @@ public static string GetPrimaryGroupSid(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"primarygroupsid"</description></item>
             /// <item><description>ClaimTypes.PrimaryGroupSid</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PrimaryGroupSid.</param>
             public static string GetPrimaryGroupSid(this ClaimsIdentity claimsIdentity)
@@ -2704,7 +2708,7 @@ public static string GetPrimaryGroupSid(this ClaimsIdentity claimsIdentity)
             /// <item><description>"primarysid"</description></item>
             /// <item><description>ClaimTypes.PrimarySid</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the PrimarySid.</param>
             public static string GetPrimarySid(this ClaimsPrincipal claimsPrincipal)
@@ -2724,7 +2728,7 @@ public static string GetPrimarySid(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"primarysid"</description></item>
             /// <item><description>ClaimTypes.PrimarySid</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the PrimarySid.</param>
             public static string GetPrimarySid(this ClaimsIdentity claimsIdentity)
@@ -2981,7 +2985,7 @@ public static IEnumerable<string> GetRole(this ClaimsIdentity claimsIdentity)
             /// <list type="bullet">
             /// <item><description>"sid"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Sid.</param>
             public static string GetSid(this ClaimsPrincipal claimsPrincipal)
@@ -2999,7 +3003,7 @@ public static string GetSid(this ClaimsPrincipal claimsPrincipal)
             /// <list type="bullet">
             /// <item><description>"sid"</description></item>
             /// </list>
-            /// This method returns information that is NOT safe to use for authorization.
+            /// This method returns information that is safe to use for authorization.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Sid.</param>
             public static string GetSid(this ClaimsIdentity claimsIdentity)
@@ -3018,6 +3022,7 @@ public static string GetSid(this ClaimsIdentity claimsIdentity)
             /// <item><description>ClaimTypes.Upn</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Upn.</param>
             public static string GetUpn(this ClaimsPrincipal claimsPrincipal)
@@ -3038,6 +3043,7 @@ public static string GetUpn(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>ClaimTypes.Upn</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Upn.</param>
             public static string GetUpn(this ClaimsIdentity claimsIdentity)
@@ -3051,15 +3057,16 @@ public static string GetUpn(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.Upn);
             }
             /// <summary>
-            /// Returns the first claim corresponding to WinAccountName claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to WindowsAccountName claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"winaccountname"</description></item>
             /// <item><description>ClaimTypes.WindowsAccountName</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the WinAccountName.</param>
-            public static string GetWinAccountName(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the WindowsAccountName.</param>
+            public static string GetWindowsAccountName(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -3071,15 +3078,16 @@ public static string GetWinAccountName(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to WinAccountName claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to WindowsAccountName claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"winaccountname"</description></item>
             /// <item><description>ClaimTypes.WindowsAccountName</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the WinAccountName.</param>
-            public static string GetWinAccountName(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the WindowsAccountName.</param>
+            public static string GetWindowsAccountName(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
index 666dca29ba..77c5e1ea6f 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
@@ -65,7 +65,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("NameId", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.NameId"),
         new ClaimsKnowledge("Subject", false, false, true, "", "ClaimTypes.NameIdentifier", "JwtRegisteredClaimNames.Sub"),
         new ClaimsKnowledge("Website", false, false, true, "", "ClaimTypes.Webpage", "JwtRegisteredClaimNames.Website"),
-        new ClaimsKnowledge("UniqueName", false, false, true, "", "ClaimTypes.Name", "JwtRegisteredClaimNames.UniqueName"),
+        new ClaimsKnowledge("UniqueName", false, false, true, "EUPI", "ClaimTypes.Name", "JwtRegisteredClaimNames.UniqueName"),
         new ClaimsKnowledge("ObjectId", false, true, true, "EUPI", "\"http://schemas.microsoft.com/identity/claims/objectidentifier\"", "\"oid\""),
         new ClaimsKnowledge("Scopes", true, true, true, "", "\"http://schemas.microsoft.com/identity/claims/scope\"", "\"scp\""),
         new ClaimsKnowledge("TenantId", false, true, true, "OII", "\"http://schemas.microsoft.com/identity/claims/tenantid\"", "\"tid\""),
@@ -73,7 +73,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("Adfs1Email", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/EmailAddress\"", "\"adfs1email\""),
         new ClaimsKnowledge("Adfs1Upn", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/UPN\"", "\"adfs1upn\""),
         new ClaimsKnowledge("Amr", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnmethodsreferences\"", "\"amr\""),
-        new ClaimsKnowledge("AuthMethod", false, false, true, "", "ClaimTypes.AuthenticationMethod", "\"authmethod\""),
+        new ClaimsKnowledge("AuthenticationMethod", false, false, true, "", "ClaimTypes.AuthenticationMethod", "\"authmethod\""),
         new ClaimsKnowledge("CertAppPolicy", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy\"", "\"certapppolicy\""),
         new ClaimsKnowledge("CertAuthorityKeyIdentifier", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier\"", "\"certauthoritykeyidentifier\""),
         new ClaimsKnowledge("CertBasicConstraints", false, false, true, "", "\"http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints\"", "\"certbasicconstraints\""),
@@ -115,22 +115,22 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("Group", true, false, true, "", "\"http://schemas.xmlsoap.org/claims/Group\"", "\"group\""),
         new ClaimsKnowledge("GroupsId", true, false, true, "", "ClaimTypes.GroupSid", "\"groupsid\""),
         new ClaimsKnowledge("TokenType", false, false, true, "", "\"idtyp\""),
-        new ClaimsKnowledge("Idp", false, false, true, "", "\"http://schemas.microsoft.com/identity/claims/identityprovider\"", "\"idp\""),
-        new ClaimsKnowledge("InsideCorporateNetwork", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork\"", "\"insidecorporatenetwork\""),
-        new ClaimsKnowledge("IsRegisteredUser", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser\"", "\"isregistereduser\""),
+        new ClaimsKnowledge("Idp", false, true, true, "", "\"http://schemas.microsoft.com/identity/claims/identityprovider\"", "\"idp\""),
+        new ClaimsKnowledge("InsideCorporateNetwork", false, true, true, "", "\"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork\"", "\"insidecorporatenetwork\""),
+        new ClaimsKnowledge("IsRegisteredUser", false, true, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser\"", "\"isregistereduser\""),
         new ClaimsKnowledge("LoginHint", false, false, false, "", "\"login_hint\""),
-        new ClaimsKnowledge("Ppid", false, false, true, "", "\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier\"", "\"ppid\""),
-        new ClaimsKnowledge("PrimaryGroupSid", false, false, true, "", "ClaimTypes.PrimaryGroupSid", "\"primarygroupsid\""),
-        new ClaimsKnowledge("PrimarySid", false, false, true, "", "ClaimTypes.PrimarySid", "\"primarysid\""),
+        new ClaimsKnowledge("PrivatePersonalIdentifier", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier\"", "\"ppid\""),
+        new ClaimsKnowledge("PrimaryGroupSid", false, true, true, "", "ClaimTypes.PrimaryGroupSid", "\"primarygroupsid\""),
+        new ClaimsKnowledge("PrimarySid", false, true, true, "", "ClaimTypes.PrimarySid", "\"primarysid\""),
         new ClaimsKnowledge("Proxy", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy\"", "\"proxy\""),
         new ClaimsKnowledge("PwdChgEndpoint", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordchangeurl\"", "\"pwdchgurl\""),
         new ClaimsKnowledge("PwdExpDays", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays\"", "\"pwdexpdays\""),
         new ClaimsKnowledge("PwdExpTime", false, false, true, "", "\"http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime\"", "\"pwdexptime\""),
         new ClaimsKnowledge("RelyingPartyTrustId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid\"", "\"relyingpartytrustid\""),
         new ClaimsKnowledge("Role", true, true, true, "", "ClaimTypes.Role", "\"role\"", "\"roles\""),
-        new ClaimsKnowledge("Sid", false, false, true, "", "\"sid\""),
-        new ClaimsKnowledge("Upn", false, false, true, "", "ClaimTypes.Upn", "\"upn\""),
-        new ClaimsKnowledge("WinAccountName", false, false, true, "", "ClaimTypes.WindowsAccountName", "\"winaccountname\""),
+        new ClaimsKnowledge("Sid", false, true, true, "", "\"sid\""),
+        new ClaimsKnowledge("Upn", false, false, true, "EUPI", "ClaimTypes.Upn", "\"upn\""),
+        new ClaimsKnowledge("WindowsAccountName", false, false, true, "EUPI", "ClaimTypes.WindowsAccountName", "\"winaccountname\""),
         new ClaimsKnowledge("VerifiedPrimaryEmail", false, false, true, "EUPI", "\"verified_primary_email\""),
         new ClaimsKnowledge("VerifiedSecondaryEmail", false, false, true, "EUPI", "\"verified_secondary_email\""),
         new ClaimsKnowledge("VNet", false, false, true, "", "\"vnet\""),

From e524d52a6c19d63ebb0eef76488af5c0ab9ff314 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 30 Mar 2022 21:18:14 -0700
Subject: [PATCH 08/13] Adding a new assembly with the claims accessors

---
 Wilson.sln                                    |  11 +-
 .../ClaimTypeAccessor.gen.cs                  |   3 +-
 .../ClaimTypeAccessor.tt                      |   3 +-
 .../ClaimsAccessorsDoc.md                     |  22 ++--
 .../ClaimsAccessorsDoc.tt                     |   0
 .../ClaimsKnowledge.tti                       |   0
 .../ClaimsTypeAccessor.cs                     |   2 +-
 .../Microsoft.IdentityModel.Aad.csproj        |  62 ++++++++++
 .../Properties/AssemblyInfo.cs                |  38 ++++++
 .../ClaimTypeMapping.tt                       | 115 ------------------
 .../System.IdentityModel.Tokens.Jwt.csproj    |  40 ------
 11 files changed, 125 insertions(+), 171 deletions(-)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimTypeAccessor.gen.cs (99%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimTypeAccessor.tt (98%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsAccessorsDoc.md (88%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsAccessorsDoc.tt (100%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsKnowledge.tti (100%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsTypeAccessor.cs (99%)
 create mode 100644 src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
 create mode 100644 src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
 delete mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt

diff --git a/Wilson.sln b/Wilson.sln
index 3b3881eec7..1c2a89374b 100644
--- a/Wilson.sln
+++ b/Wilson.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.29230.47
+# Visual Studio Version 17
+VisualStudioVersion = 17.1.32319.34
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}"
 EndProject
@@ -97,6 +97,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Val
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.SampleTests", "test\Microsoft.IdentityModel.SampleTests\Microsoft.IdentityModel.SampleTests.csproj", "{578FDF8F-6568-448A-AB93-D94269593932}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Aad", "src\Microsoft.IdentityModel.Aad\Microsoft.IdentityModel.Aad.csproj", "{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -227,6 +229,10 @@ Global
 		{578FDF8F-6568-448A-AB93-D94269593932}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -266,6 +272,7 @@ Global
 		{DA585910-0E6C-45A5-AABD-30917130FD63} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
 		{D17F097F-6024-40BA-A7A0-015BB90F203B} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
 		{578FDF8F-6568-448A-AB93-D94269593932} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {2F681326-7ED4-45F6-BD1D-1119EA388F42}
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
similarity index 99%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
rename to src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
index 70dff82a14..199fae5800 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
@@ -29,9 +29,10 @@
 // DON'T UPDATE MANUALLY
 
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
similarity index 98%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
rename to src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
index 63ce45c66d..cb78f8f560 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
@@ -36,9 +36,10 @@
 // DON'T UPDATE MANUALLY
 
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
similarity index 88%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
rename to src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
index b99185669a..a3060fb255 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
@@ -12,7 +12,7 @@ string | GetGivenName | False | EUII | JwtRegisteredClaimNames.GivenName<BR/> Cl
 string | GetNameId | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
 string | GetSubject | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
 string | GetWebsite | False |  | JwtRegisteredClaimNames.Website<BR/> ClaimTypes.Webpage
-string | GetUniqueName | False |  | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
+string | GetUniqueName | False | EUPI | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
 string | GetObjectId | True | EUPI | "oid"<BR/> "http://schemas.microsoft.com/identity/claims/objectidentifier"
 IEnumerable<string> | GetScopes | True |  | "scp"<BR/> "http://schemas.microsoft.com/identity/claims/scope"
 string | GetTenantId | True | OII | "tid"<BR/> "http://schemas.microsoft.com/identity/claims/tenantid"
@@ -20,7 +20,7 @@ string | GetAcr | False |  | "acr"<BR/> "http://schemas.microsoft.com/claims/aut
 string | GetAdfs1Email | False | EUPI | "adfs1email"<BR/> "http://schemas.xmlsoap.org/claims/EmailAddress"
 string | GetAdfs1Upn | False | EUPI | "adfs1upn"<BR/> "http://schemas.xmlsoap.org/claims/UPN"
 string | GetAmr | False |  | "amr"<BR/> "http://schemas.microsoft.com/claims/authnmethodsreferences"
-string | GetAuthMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
+string | GetAuthenticationMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
 string | GetCertAppPolicy | False |  | "certapppolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"
 string | GetCertAuthorityKeyIdentifier | False |  | "certauthoritykeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"
 string | GetCertBasicConstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
@@ -62,21 +62,21 @@ string | GetForwardedClientIp | False |  | "forwardedclientip"<BR/> "http://sche
 IEnumerable<string> | GetGroup | False |  | "group"<BR/> "http://schemas.xmlsoap.org/claims/Group"
 IEnumerable<string> | GetGroupsId | False |  | "groupsid"<BR/> ClaimTypes.GroupSid
 string | GetTokenType | False |  | "idtyp"
-string | GetIdp | False |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
-string | GetInsideCorporateNetwork | False |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
-string | GetIsRegisteredUser | False |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
-string | GetPpid | False |  | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
-string | GetPrimaryGroupSid | False |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
-string | GetPrimarySid | False |  | "primarysid"<BR/> ClaimTypes.PrimarySid
+string | GetIdp | True |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
+string | GetInsideCorporateNetwork | True |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
+string | GetIsRegisteredUser | True |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
+string | GetPrivatePersonalIdentifier | False | EUPI | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
+string | GetPrimaryGroupSid | True |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
+string | GetPrimarySid | True |  | "primarysid"<BR/> ClaimTypes.PrimarySid
 string | GetProxy | False |  | "proxy"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"
 string | GetPwdChgEndpoint | False |  | "pwdchgurl"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
 string | GetPwdExpDays | False |  | "pwdexpdays"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"
 string | GetPwdExpTime | False |  | "pwdexptime"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"
 string | GetRelyingPartyTrustId | False |  | "relyingpartytrustid"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"
 IEnumerable<string> | GetRole | True |  | "role"<BR/> "roles"<BR/> ClaimTypes.Role
-string | GetSid | False |  | "sid"
-string | GetUpn | False |  | "upn"<BR/> ClaimTypes.Upn
-string | GetWinAccountName | False |  | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
+string | GetSid | True |  | "sid"
+string | GetUpn | False | EUPI | "upn"<BR/> ClaimTypes.Upn
+string | GetWindowsAccountName | False | EUPI | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
 string | GetVerifiedPrimaryEmail | False | EUPI | "verified_primary_email"
 string | GetVerifiedSecondaryEmail | False | EUPI | "verified_secondary_email"
 string | GetVNet | False |  | "vnet"
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
similarity index 100%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt
rename to src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
similarity index 100%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
rename to src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
similarity index 99%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
rename to src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
index e1fc32ad4d..49756b52f2 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
@@ -32,7 +32,7 @@
 using System.Security.Claims;
 using System.Linq;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
new file mode 100644
index 0000000000..4687fd6783
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
@@ -0,0 +1,62 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <AssemblyName>Microsoft.IdentityModel.Aad</AssemblyName>
+    <Description>Includes types that provide Aad specific features.</Description>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageId>Microsoft.IdentityModel.Aad</PackageId>
+    <PackageTags>.NET;Windows;Authentication;Identity;OpenIdConnect;Claims;AzureAD;Microsoft identity platform</PackageTags>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)'=='Debug'">
+    <DebugType>full</DebugType>
+    <DebugSymbols>true</DebugSymbols>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\System.IdentityModel.Tokens.Jwt\System.IdentityModel.Tokens.Jwt.csproj" />
+  </ItemGroup>
+
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net45' Or '$(TargetFramework)' == 'net461' Or '$(TargetFramework)' == 'net472'">
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Net.Http" />    
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="ClaimsAccessorsDoc.md">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
+    </None>
+    <None Update="ClaimsAccessorsDoc.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimsAccessorsDoc.md</LastGenOutput>
+    </None>
+    <None Update="ClaimTypeAccessor.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimTypeAccessor.gen.cs</LastGenOutput>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Update="ClaimTypeAccessor.gen.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimTypeAccessor.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs b/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..7daabe16dd
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
@@ -0,0 +1,38 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+using System;
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+[assembly: AssemblyInformationalVersion("0.0.1")]
+[assembly: AssemblyFileVersion("0.0.1")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: AssemblyVersion("0.0.1")]
+[assembly: CLSCompliant(true)]
+[assembly: ComVisible(false)]
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
deleted file mode 100644
index d763c68f86..0000000000
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
+++ /dev/null
@@ -1,115 +0,0 @@
-<#@ template debug="false" hostspecific="false" language="C#" #>
-<#@ assembly name="System.Core" #>
-<#@ import namespace="System.Linq" #>
-<#@ import namespace="System.Text" #>
-<#@ import namespace="System.Collections.Generic" #>
-<#@ output extension=".cs" #>
-<#@ include file="ClaimsKnowledge.tti" #>
-//------------------------------------------------------------------------------
-//
-// Copyright (c) Microsoft Corporation.
-// All rights reserved.
-//
-// This code is licensed under the MIT License.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files(the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions :
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-//
-//------------------------------------------------------------------------------
-
-// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
-// DON'T UPDATE MANUALLY
-
-using System.Collections.Generic;
-using System.Security.Claims;
-
-namespace System.IdentityModel.Tokens.Jwt
-{
-    /// <summary>
-    /// Defines the inbound and outbound mapping for claim claim types from jwt to .net claim 
-    /// </summary>
-    internal static class ClaimTypeMapping
-    {
-        // This is the short to long mapping.
-        // key      is the long  claim type
-        // value    is the short claim type
-        private static Dictionary<string, string> shortToLongClaimTypeMapping = new Dictionary<string, string>
-        {
-<# 
-  foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
-  {
-   foreach(string shortClaimType in c.ShortClaimNames)
-   {
-#>
-            { <#=shortClaimType#>, <#=c.LongClaimName#> },
-<#
-   }
- }
-#>
-        };
-
-        private static IDictionary<string, string> longToShortClaimTypeMapping = new Dictionary<string, string>();
-        private static HashSet<string> inboundClaimFilter = inboundClaimFilter = new HashSet<string>();
-
-        /// <summary>
-        /// Initializes static members of the <see cref="ClaimTypeMapping"/> class. 
-        /// </summary>
-        static ClaimTypeMapping()
-        {
-            foreach (KeyValuePair<string, string> kv in shortToLongClaimTypeMapping)
-            {
-                if (longToShortClaimTypeMapping.ContainsKey(kv.Value))
-                {
-                    continue;
-                }
-
-                longToShortClaimTypeMapping.Add(kv.Value, kv.Key);
-            }
-        }
-
-        /// <summary>
-        /// Gets the InboundClaimTypeMap used by JwtSecurityTokenHandler when producing claims from jwt. 
-        /// </summary>
-        public static IDictionary<string, string> InboundClaimTypeMap
-        {
-            get
-            {
-                return shortToLongClaimTypeMapping;
-            }
-        }
-
-        /// <summary>
-        /// Gets the OutboundClaimTypeMap is used by JwtSecurityTokenHandler to shorten claim types when creating a jwt. 
-        /// </summary>
-        public static IDictionary<string, string> OutboundClaimTypeMap
-        {
-            get
-            {
-                return longToShortClaimTypeMapping;
-            }
-        }
-
-        public static ISet<string> InboundClaimFilter
-        {
-            get
-            {
-                return inboundClaimFilter;
-            }
-        }
-    }
-}
diff --git a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
index 4eaa3d5f59..e60889ab54 100644
--- a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
+++ b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
@@ -27,44 +27,4 @@
     <ProjectReference Include="..\Microsoft.IdentityModel.Tokens\Microsoft.IdentityModel.Tokens.csproj" />
   </ItemGroup>
   
-   <ItemGroup>
-    <None Update="ClaimsAccessorsDoc.md">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
-    </None>
-    <None Update="ClaimsAccessorsDoc.tt">
-      <Generator>TextTemplatingFileGenerator</Generator>
-      <LastGenOutput>ClaimsAccessorsDoc.md</LastGenOutput>
-    </None>
-    <None Update="ClaimsKnowledge.tti">
-      <Generator></Generator>
-    </None>
-    <None Update="ClaimTypeAccessor.tt">
-      <LastGenOutput>ClaimTypeAccessor.gen.cs</LastGenOutput>
-      <Generator>TextTemplatingFileGenerator</Generator>
-    </None>
-    <None Update="ClaimTypeMapping.tt">
-      <Generator>TextTemplatingFileGenerator</Generator>
-      <LastGenOutput>ClaimTypeMapping.cs</LastGenOutput>
-    </None>
-  </ItemGroup>
-
-  <ItemGroup>
-    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <Compile Update="ClaimTypeAccessor.gen.cs">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimTypeAccessor.tt</DependentUpon>
-    </Compile>
-    <Compile Update="ClaimTypeMapping.cs">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimTypeMapping.tt</DependentUpon>
-    </Compile>
-  </ItemGroup>
-
 </Project>

From 00cfad6daf702fdd94b381b4ebd46887ee161baa Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 30 Mar 2022 21:18:14 -0700
Subject: [PATCH 09/13] Adding a new assembly with the claims accessors

---
 Wilson.sln                                    |  11 +-
 .../ClaimTypeAccessor.gen.cs                  |   3 +-
 .../ClaimTypeAccessor.tt                      |   3 +-
 .../ClaimsAccessorsDoc.md                     |  22 ++--
 .../ClaimsAccessorsDoc.tt                     |   0
 .../ClaimsKnowledge.tti                       |   0
 .../ClaimsTypeAccessor.cs                     |   2 +-
 .../Microsoft.IdentityModel.Aad.csproj        |  62 ++++++++++
 .../Properties/AssemblyInfo.cs                |  38 ++++++
 .../ClaimTypeMapping.cs                       |   3 -
 .../ClaimTypeMapping.tt                       | 115 ------------------
 .../System.IdentityModel.Tokens.Jwt.csproj    |  40 ------
 12 files changed, 125 insertions(+), 174 deletions(-)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimTypeAccessor.gen.cs (99%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimTypeAccessor.tt (98%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsAccessorsDoc.md (88%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsAccessorsDoc.tt (100%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsKnowledge.tti (100%)
 rename src/{System.IdentityModel.Tokens.Jwt => Microsoft.IdentityModel.Aad}/ClaimsTypeAccessor.cs (99%)
 create mode 100644 src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
 create mode 100644 src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
 delete mode 100644 src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt

diff --git a/Wilson.sln b/Wilson.sln
index 3b3881eec7..1c2a89374b 100644
--- a/Wilson.sln
+++ b/Wilson.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.29230.47
+# Visual Studio Version 17
+VisualStudioVersion = 17.1.32319.34
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}"
 EndProject
@@ -97,6 +97,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Val
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.SampleTests", "test\Microsoft.IdentityModel.SampleTests\Microsoft.IdentityModel.SampleTests.csproj", "{578FDF8F-6568-448A-AB93-D94269593932}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.IdentityModel.Aad", "src\Microsoft.IdentityModel.Aad\Microsoft.IdentityModel.Aad.csproj", "{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -227,6 +229,10 @@ Global
 		{578FDF8F-6568-448A-AB93-D94269593932}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{578FDF8F-6568-448A-AB93-D94269593932}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -266,6 +272,7 @@ Global
 		{DA585910-0E6C-45A5-AABD-30917130FD63} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
 		{D17F097F-6024-40BA-A7A0-015BB90F203B} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
 		{578FDF8F-6568-448A-AB93-D94269593932} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
+		{9F129E45-1660-42A8-B7D3-0859EBF0CB6A} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {2F681326-7ED4-45F6-BD1D-1119EA388F42}
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
similarity index 99%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
rename to src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
index 70dff82a14..199fae5800 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.gen.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
@@ -29,9 +29,10 @@
 // DON'T UPDATE MANUALLY
 
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
similarity index 98%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
rename to src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
index 63ce45c66d..cb78f8f560 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeAccessor.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
@@ -36,9 +36,10 @@
 // DON'T UPDATE MANUALLY
 
 using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
similarity index 88%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
rename to src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
index b99185669a..a3060fb255 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.md
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
@@ -12,7 +12,7 @@ string | GetGivenName | False | EUII | JwtRegisteredClaimNames.GivenName<BR/> Cl
 string | GetNameId | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
 string | GetSubject | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
 string | GetWebsite | False |  | JwtRegisteredClaimNames.Website<BR/> ClaimTypes.Webpage
-string | GetUniqueName | False |  | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
+string | GetUniqueName | False | EUPI | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
 string | GetObjectId | True | EUPI | "oid"<BR/> "http://schemas.microsoft.com/identity/claims/objectidentifier"
 IEnumerable<string> | GetScopes | True |  | "scp"<BR/> "http://schemas.microsoft.com/identity/claims/scope"
 string | GetTenantId | True | OII | "tid"<BR/> "http://schemas.microsoft.com/identity/claims/tenantid"
@@ -20,7 +20,7 @@ string | GetAcr | False |  | "acr"<BR/> "http://schemas.microsoft.com/claims/aut
 string | GetAdfs1Email | False | EUPI | "adfs1email"<BR/> "http://schemas.xmlsoap.org/claims/EmailAddress"
 string | GetAdfs1Upn | False | EUPI | "adfs1upn"<BR/> "http://schemas.xmlsoap.org/claims/UPN"
 string | GetAmr | False |  | "amr"<BR/> "http://schemas.microsoft.com/claims/authnmethodsreferences"
-string | GetAuthMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
+string | GetAuthenticationMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
 string | GetCertAppPolicy | False |  | "certapppolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"
 string | GetCertAuthorityKeyIdentifier | False |  | "certauthoritykeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"
 string | GetCertBasicConstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
@@ -62,21 +62,21 @@ string | GetForwardedClientIp | False |  | "forwardedclientip"<BR/> "http://sche
 IEnumerable<string> | GetGroup | False |  | "group"<BR/> "http://schemas.xmlsoap.org/claims/Group"
 IEnumerable<string> | GetGroupsId | False |  | "groupsid"<BR/> ClaimTypes.GroupSid
 string | GetTokenType | False |  | "idtyp"
-string | GetIdp | False |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
-string | GetInsideCorporateNetwork | False |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
-string | GetIsRegisteredUser | False |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
-string | GetPpid | False |  | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
-string | GetPrimaryGroupSid | False |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
-string | GetPrimarySid | False |  | "primarysid"<BR/> ClaimTypes.PrimarySid
+string | GetIdp | True |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
+string | GetInsideCorporateNetwork | True |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
+string | GetIsRegisteredUser | True |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
+string | GetPrivatePersonalIdentifier | False | EUPI | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
+string | GetPrimaryGroupSid | True |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
+string | GetPrimarySid | True |  | "primarysid"<BR/> ClaimTypes.PrimarySid
 string | GetProxy | False |  | "proxy"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"
 string | GetPwdChgEndpoint | False |  | "pwdchgurl"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
 string | GetPwdExpDays | False |  | "pwdexpdays"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"
 string | GetPwdExpTime | False |  | "pwdexptime"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"
 string | GetRelyingPartyTrustId | False |  | "relyingpartytrustid"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"
 IEnumerable<string> | GetRole | True |  | "role"<BR/> "roles"<BR/> ClaimTypes.Role
-string | GetSid | False |  | "sid"
-string | GetUpn | False |  | "upn"<BR/> ClaimTypes.Upn
-string | GetWinAccountName | False |  | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
+string | GetSid | True |  | "sid"
+string | GetUpn | False | EUPI | "upn"<BR/> ClaimTypes.Upn
+string | GetWindowsAccountName | False | EUPI | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
 string | GetVerifiedPrimaryEmail | False | EUPI | "verified_primary_email"
 string | GetVerifiedSecondaryEmail | False | EUPI | "verified_secondary_email"
 string | GetVNet | False |  | "vnet"
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
similarity index 100%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsAccessorsDoc.tt
rename to src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti b/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
similarity index 100%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsKnowledge.tti
rename to src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
similarity index 99%
rename from src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
rename to src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
index e1fc32ad4d..49756b52f2 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimsTypeAccessor.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
@@ -32,7 +32,7 @@
 using System.Security.Claims;
 using System.Linq;
 
-namespace System.IdentityModel.Tokens.Jwt
+namespace System.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
new file mode 100644
index 0000000000..4687fd6783
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
@@ -0,0 +1,62 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <Import Project="..\..\build\common.props" />
+
+  <PropertyGroup>
+    <AssemblyName>Microsoft.IdentityModel.Aad</AssemblyName>
+    <Description>Includes types that provide Aad specific features.</Description>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <PackageId>Microsoft.IdentityModel.Aad</PackageId>
+    <PackageTags>.NET;Windows;Authentication;Identity;OpenIdConnect;Claims;AzureAD;Microsoft identity platform</PackageTags>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)'=='Debug'">
+    <DebugType>full</DebugType>
+    <DebugSymbols>true</DebugSymbols>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\System.IdentityModel.Tokens.Jwt\System.IdentityModel.Tokens.Jwt.csproj" />
+  </ItemGroup>
+
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net45' Or '$(TargetFramework)' == 'net461' Or '$(TargetFramework)' == 'net472'">
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Net.Http" />    
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="ClaimsAccessorsDoc.md">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
+    </None>
+    <None Update="ClaimsAccessorsDoc.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimsAccessorsDoc.md</LastGenOutput>
+    </None>
+    <None Update="ClaimTypeAccessor.tt">
+      <Generator>TextTemplatingFileGenerator</Generator>
+      <LastGenOutput>ClaimTypeAccessor.gen.cs</LastGenOutput>
+    </None>
+  </ItemGroup>
+
+  <ItemGroup>
+    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Compile Update="ClaimTypeAccessor.gen.cs">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimTypeAccessor.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
+</Project>
diff --git a/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs b/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
new file mode 100644
index 0000000000..7daabe16dd
--- /dev/null
+++ b/src/Microsoft.IdentityModel.Aad/Properties/AssemblyInfo.cs
@@ -0,0 +1,38 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+//------------------------------------------------------------------------------
+
+using System;
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+[assembly: AssemblyInformationalVersion("0.0.1")]
+[assembly: AssemblyFileVersion("0.0.1")]
+[assembly: AssemblyMetadata("Serviceable", "True")]
+[assembly: AssemblyVersion("0.0.1")]
+[assembly: CLSCompliant(true)]
+[assembly: ComVisible(false)]
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
index 67ed56e121..9d031ca451 100644
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
+++ b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.cs
@@ -25,9 +25,6 @@
 //
 //------------------------------------------------------------------------------
 
-// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
-// DON'T UPDATE MANUALLY
-
 using System.Collections.Generic;
 using System.Security.Claims;
 
diff --git a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt b/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
deleted file mode 100644
index d763c68f86..0000000000
--- a/src/System.IdentityModel.Tokens.Jwt/ClaimTypeMapping.tt
+++ /dev/null
@@ -1,115 +0,0 @@
-<#@ template debug="false" hostspecific="false" language="C#" #>
-<#@ assembly name="System.Core" #>
-<#@ import namespace="System.Linq" #>
-<#@ import namespace="System.Text" #>
-<#@ import namespace="System.Collections.Generic" #>
-<#@ output extension=".cs" #>
-<#@ include file="ClaimsKnowledge.tti" #>
-//------------------------------------------------------------------------------
-//
-// Copyright (c) Microsoft Corporation.
-// All rights reserved.
-//
-// This code is licensed under the MIT License.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files(the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions :
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-//
-//------------------------------------------------------------------------------
-
-// THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
-// DON'T UPDATE MANUALLY
-
-using System.Collections.Generic;
-using System.Security.Claims;
-
-namespace System.IdentityModel.Tokens.Jwt
-{
-    /// <summary>
-    /// Defines the inbound and outbound mapping for claim claim types from jwt to .net claim 
-    /// </summary>
-    internal static class ClaimTypeMapping
-    {
-        // This is the short to long mapping.
-        // key      is the long  claim type
-        // value    is the short claim type
-        private static Dictionary<string, string> shortToLongClaimTypeMapping = new Dictionary<string, string>
-        {
-<# 
-  foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
-  {
-   foreach(string shortClaimType in c.ShortClaimNames)
-   {
-#>
-            { <#=shortClaimType#>, <#=c.LongClaimName#> },
-<#
-   }
- }
-#>
-        };
-
-        private static IDictionary<string, string> longToShortClaimTypeMapping = new Dictionary<string, string>();
-        private static HashSet<string> inboundClaimFilter = inboundClaimFilter = new HashSet<string>();
-
-        /// <summary>
-        /// Initializes static members of the <see cref="ClaimTypeMapping"/> class. 
-        /// </summary>
-        static ClaimTypeMapping()
-        {
-            foreach (KeyValuePair<string, string> kv in shortToLongClaimTypeMapping)
-            {
-                if (longToShortClaimTypeMapping.ContainsKey(kv.Value))
-                {
-                    continue;
-                }
-
-                longToShortClaimTypeMapping.Add(kv.Value, kv.Key);
-            }
-        }
-
-        /// <summary>
-        /// Gets the InboundClaimTypeMap used by JwtSecurityTokenHandler when producing claims from jwt. 
-        /// </summary>
-        public static IDictionary<string, string> InboundClaimTypeMap
-        {
-            get
-            {
-                return shortToLongClaimTypeMapping;
-            }
-        }
-
-        /// <summary>
-        /// Gets the OutboundClaimTypeMap is used by JwtSecurityTokenHandler to shorten claim types when creating a jwt. 
-        /// </summary>
-        public static IDictionary<string, string> OutboundClaimTypeMap
-        {
-            get
-            {
-                return longToShortClaimTypeMapping;
-            }
-        }
-
-        public static ISet<string> InboundClaimFilter
-        {
-            get
-            {
-                return inboundClaimFilter;
-            }
-        }
-    }
-}
diff --git a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
index 4eaa3d5f59..e60889ab54 100644
--- a/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
+++ b/src/System.IdentityModel.Tokens.Jwt/System.IdentityModel.Tokens.Jwt.csproj
@@ -27,44 +27,4 @@
     <ProjectReference Include="..\Microsoft.IdentityModel.Tokens\Microsoft.IdentityModel.Tokens.csproj" />
   </ItemGroup>
   
-   <ItemGroup>
-    <None Update="ClaimsAccessorsDoc.md">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
-    </None>
-    <None Update="ClaimsAccessorsDoc.tt">
-      <Generator>TextTemplatingFileGenerator</Generator>
-      <LastGenOutput>ClaimsAccessorsDoc.md</LastGenOutput>
-    </None>
-    <None Update="ClaimsKnowledge.tti">
-      <Generator></Generator>
-    </None>
-    <None Update="ClaimTypeAccessor.tt">
-      <LastGenOutput>ClaimTypeAccessor.gen.cs</LastGenOutput>
-      <Generator>TextTemplatingFileGenerator</Generator>
-    </None>
-    <None Update="ClaimTypeMapping.tt">
-      <Generator>TextTemplatingFileGenerator</Generator>
-      <LastGenOutput>ClaimTypeMapping.cs</LastGenOutput>
-    </None>
-  </ItemGroup>
-
-  <ItemGroup>
-    <Service Include="{508349b6-6b84-4df5-91f0-309beebad82d}" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <Compile Update="ClaimTypeAccessor.gen.cs">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimTypeAccessor.tt</DependentUpon>
-    </Compile>
-    <Compile Update="ClaimTypeMapping.cs">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimTypeMapping.tt</DependentUpon>
-    </Compile>
-  </ItemGroup>
-
 </Project>

From 0d353f88b07611c8c5984f526958b31a5e2d0362 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 30 Mar 2022 22:10:07 -0700
Subject: [PATCH 10/13] Improving the generated .md by expressing the value of
 the claims types

---
 .../ClaimsAccessorsDoc.md                     | 161 +++++++++---------
 .../ClaimsAccessorsDoc.tt                     |  30 +++-
 .../Microsoft.IdentityModel.Aad.csproj        |   8 +
 3 files changed, 118 insertions(+), 81 deletions(-)

diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
index a3060fb255..74da2455a8 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
@@ -3,83 +3,84 @@
 
 Type | Accessor | Used for authorization | Privacy | Claims
 --   | --       | --                     | --      | --     
-string | GetActor | False |  | JwtRegisteredClaimNames.Actort<BR/> ClaimTypes.Actor
-string | GetBirthdate | False | EUII | JwtRegisteredClaimNames.Birthdate<BR/> ClaimTypes.DateOfBirth
-string | GetEmail | False | EUII | JwtRegisteredClaimNames.Email<BR/> ClaimTypes.Email
-string | GetFamilyName | False | EUII | JwtRegisteredClaimNames.FamilyName<BR/> ClaimTypes.Surname
-string | GetGender | False | EUII | JwtRegisteredClaimNames.Gender<BR/> ClaimTypes.Gender
-string | GetGivenName | False | EUII | JwtRegisteredClaimNames.GivenName<BR/> ClaimTypes.GivenName
-string | GetNameId | False |  | JwtRegisteredClaimNames.NameId<BR/> ClaimTypes.NameIdentifier
-string | GetSubject | False |  | JwtRegisteredClaimNames.Sub<BR/> ClaimTypes.NameIdentifier
-string | GetWebsite | False |  | JwtRegisteredClaimNames.Website<BR/> ClaimTypes.Webpage
-string | GetUniqueName | False | EUPI | JwtRegisteredClaimNames.UniqueName<BR/> ClaimTypes.Name
-string | GetObjectId | True | EUPI | "oid"<BR/> "http://schemas.microsoft.com/identity/claims/objectidentifier"
-IEnumerable<string> | GetScopes | True |  | "scp"<BR/> "http://schemas.microsoft.com/identity/claims/scope"
-string | GetTenantId | True | OII | "tid"<BR/> "http://schemas.microsoft.com/identity/claims/tenantid"
-string | GetAcr | False |  | "acr"<BR/> "http://schemas.microsoft.com/claims/authnclassreference"
-string | GetAdfs1Email | False | EUPI | "adfs1email"<BR/> "http://schemas.xmlsoap.org/claims/EmailAddress"
-string | GetAdfs1Upn | False | EUPI | "adfs1upn"<BR/> "http://schemas.xmlsoap.org/claims/UPN"
-string | GetAmr | False |  | "amr"<BR/> "http://schemas.microsoft.com/claims/authnmethodsreferences"
-string | GetAuthenticationMethod | False |  | "authmethod"<BR/> ClaimTypes.AuthenticationMethod
-string | GetCertAppPolicy | False |  | "certapppolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy"
-string | GetCertAuthorityKeyIdentifier | False |  | "certauthoritykeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier"
-string | GetCertBasicConstraints | False |  | "certbasicconstraints"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints"
-string | GetCertEku | False |  | "certeku"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku"
-string | GetCertIssuer | False |  | "certissuer"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer"
-string | GetCertIssuerName | False |  | "certissuername"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername"
-string | GetCertKeyUsage | False |  | "certkeyusage"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage"
-string | GetCertNotAfter | False |  | "certnotafter"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter"
-string | GetCertNotBefore | False |  | "certnotbefore"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore"
-string | GetCertPolicy | False |  | "certpolicy"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy"
-string | GetCertPublickey | False |  | "certpublickey"<BR/> ClaimTypes.Rsa
-string | GetCertRawData | False |  | "certrawdata"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata"
-string | GetCertSerialNumber | False |  | "certserialnumber"<BR/> ClaimTypes.SerialNumber
-string | GetCertSignatureAlgorithm | False |  | "certsignaturealgorithm"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm"
-string | GetCertSubject | False |  | "certsubject"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"
-string | GetCertSubjectAltName | False |  | "certsubjectaltname"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san"
-string | GetCertSubjectKeyIdentifier | False |  | "certsubjectkeyidentifier"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier"
-string | GetCertSubjectName | False |  | "certsubjectname"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname"
-string | GetCertTemplateInformation | False |  | "certtemplateinformation"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation"
-string | GetCertTemplateName | False |  | "certtemplatename"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename"
-string | GetCertThumbprint | False |  | "certthumbprint"<BR/> ClaimTypes.Thumbprint
-string | GetCertX509Version | False |  | "certx509version"<BR/> "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version"
-string | GetClientApplication | True |  | "clientapplication"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application"
-string | GetClientIp | False | EUPI | "clientip"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip"
-string | GetClientUserAgent | False |  | "clientuseragent"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent"
-string | GetCommonName | False | EUPI | "commonname"<BR/> "http://schemas.xmlsoap.org/claims/CommonName"
-string | GetDenyOnlyPrimaryGroupSid | False |  | "denyonlyprimarygroupsid"<BR/> ClaimTypes.DenyOnlyPrimaryGroupSid
-string | GetDenyOnlyPrimarySid | False |  | "denyonlyprimarysid"<BR/> ClaimTypes.DenyOnlyPrimarySid
-string | GetDenyOnlySid | False |  | "denyonlysid"<BR/> ClaimTypes.DenyOnlySid
-string | GetDevicedIspName | False |  | "devicedispname"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"
-string | GetDeviceId | False |  | "deviceid"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"
-string | GetDeviceIsManaged | False |  | "deviceismanaged"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged"
-string | GetDeviceOsType | False |  | "deviceostype"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype"
-string | GetDeviceOsVer | False |  | "deviceosver"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion"
-string | GetDeviceOwner | False |  | "deviceowner"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"
-string | GetDeviceRegId | False |  | "deviceregid"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid"
-string | GetEndpointPath | False |  | "endpointpath"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path"
-string | GetForwardedClientIp | False |  | "forwardedclientip"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"
-IEnumerable<string> | GetGroup | False |  | "group"<BR/> "http://schemas.xmlsoap.org/claims/Group"
-IEnumerable<string> | GetGroupsId | False |  | "groupsid"<BR/> ClaimTypes.GroupSid
-string | GetTokenType | False |  | "idtyp"
-string | GetIdp | True |  | "idp"<BR/> "http://schemas.microsoft.com/identity/claims/identityprovider"
-string | GetInsideCorporateNetwork | True |  | "insidecorporatenetwork"<BR/> "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"
-string | GetIsRegisteredUser | True |  | "isregistereduser"<BR/> "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser"
-string | GetPrivatePersonalIdentifier | False | EUPI | "ppid"<BR/> "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"
-string | GetPrimaryGroupSid | True |  | "primarygroupsid"<BR/> ClaimTypes.PrimaryGroupSid
-string | GetPrimarySid | True |  | "primarysid"<BR/> ClaimTypes.PrimarySid
-string | GetProxy | False |  | "proxy"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"
-string | GetPwdChgEndpoint | False |  | "pwdchgurl"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl"
-string | GetPwdExpDays | False |  | "pwdexpdays"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays"
-string | GetPwdExpTime | False |  | "pwdexptime"<BR/> "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime"
-string | GetRelyingPartyTrustId | False |  | "relyingpartytrustid"<BR/> "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid"
-IEnumerable<string> | GetRole | True |  | "role"<BR/> "roles"<BR/> ClaimTypes.Role
-string | GetSid | True |  | "sid"
-string | GetUpn | False | EUPI | "upn"<BR/> ClaimTypes.Upn
-string | GetWindowsAccountName | False | EUPI | "winaccountname"<BR/> ClaimTypes.WindowsAccountName
-string | GetVerifiedPrimaryEmail | False | EUPI | "verified_primary_email"
-string | GetVerifiedSecondaryEmail | False | EUPI | "verified_secondary_email"
-string | GetVNet | False |  | "vnet"
-string | GetPreferedDataLocation | False |  | "xms_pdl"
-string | GetUserPreferedLanguage | False |  | "xms_tpl"
-string | GetZeroTouchDeploymentId | False |  | "ztdid"
+string | GetActor | False |  | actort<BR/> http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
+string | GetBirthdate | False | EUII | birthdate<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
+string | GetEmail | False | EUII | email<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+string | GetFamilyName | False | EUII | family_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+string | GetGender | False | EUII | gender<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
+string | GetGivenName | False | EUII | given_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+string | GetNameId | False |  | nameid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+string | GetSubject | False |  | sub<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+string | GetWebsite | False |  | website<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
+string | GetUniqueName | False | EUPI | unique_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+string | GetObjectId | True | EUPI | oid<BR/> http://schemas.microsoft.com/identity/claims/objectidentifier
+IEnumerable<string> | GetScopes | True |  | scp<BR/> http://schemas.microsoft.com/identity/claims/scope
+string | GetTenantId | True | OII | tid<BR/> http://schemas.microsoft.com/identity/claims/tenantid
+string | GetAcr | False |  | acr<BR/> http://schemas.microsoft.com/claims/authnclassreference
+string | GetAdfs1Email | False | EUPI | adfs1email<BR/> http://schemas.xmlsoap.org/claims/EmailAddress
+string | GetAdfs1Upn | False | EUPI | adfs1upn<BR/> http://schemas.xmlsoap.org/claims/UPN
+string | GetAmr | False |  | amr<BR/> http://schemas.microsoft.com/claims/authnmethodsreferences
+string | GetAuthenticationMethod | False |  | authmethod<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
+string | GetCertAppPolicy | False |  | certapppolicy<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy
+string | GetCertAuthorityKeyIdentifier | False |  | certauthoritykeyidentifier<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier
+string | GetCertBasicConstraints | False |  | certbasicconstraints<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints
+string | GetCertEku | False |  | certeku<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku
+string | GetCertIssuer | False |  | certissuer<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer
+string | GetCertIssuerName | False |  | certissuername<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername
+string | GetCertKeyUsage | False |  | certkeyusage<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage
+string | GetCertNotAfter | False |  | certnotafter<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter
+string | GetCertNotBefore | False |  | certnotbefore<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore
+string | GetCertPolicy | False |  | certpolicy<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy
+string | GetCertPublickey | False |  | certpublickey<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa
+string | GetCertRawData | False |  | certrawdata<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata
+string | GetCertSerialNumber | False |  | certserialnumber<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber
+string | GetCertSignatureAlgorithm | False |  | certsignaturealgorithm<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm
+string | GetCertSubject | False |  | certsubject<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/subject
+string | GetCertSubjectAltName | False |  | certsubjectaltname<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/san
+string | GetCertSubjectKeyIdentifier | False |  | certsubjectkeyidentifier<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier
+string | GetCertSubjectName | False |  | certsubjectname<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname
+string | GetCertTemplateInformation | False |  | certtemplateinformation<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation
+string | GetCertTemplateName | False |  | certtemplatename<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename
+string | GetCertThumbprint | False |  | certthumbprint<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
+string | GetCertX509Version | False |  | certx509version<BR/> http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version
+string | GetClientApplication | True |  | clientapplication<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
+string | GetClientIp | False | EUPI | clientip<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip
+string | GetClientUserAgent | False |  | clientuseragent<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
+string | GetCommonName | False | EUPI | commonname<BR/> http://schemas.xmlsoap.org/claims/CommonName
+string | GetDenyOnlyPrimaryGroupSid | False |  | denyonlyprimarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid
+string | GetDenyOnlyPrimarySid | False |  | denyonlyprimarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid
+string | GetDenyOnlySid | False |  | denyonlysid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
+string | GetDevicedIspName | False |  | devicedispname<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname
+string | GetDeviceId | False |  | deviceid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier
+string | GetDeviceIsManaged | False |  | deviceismanaged<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged
+string | GetDeviceOsType | False |  | deviceostype<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype
+string | GetDeviceOsVer | False |  | deviceosver<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion
+string | GetDeviceOwner | False |  | deviceowner<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner
+string | GetDeviceRegId | False |  | deviceregid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid
+string | GetEndpointPath | False |  | endpointpath<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
+string | GetForwardedClientIp | False |  | forwardedclientip<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
+IEnumerable<string> | GetGroup | False |  | group<BR/> http://schemas.xmlsoap.org/claims/Group
+IEnumerable<string> | GetGroupsId | False |  | groupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
+string | GetTokenType | False |  | idtyp
+string | GetIdp | True |  | idp<BR/> http://schemas.microsoft.com/identity/claims/identityprovider
+string | GetInsideCorporateNetwork | True |  | insidecorporatenetwork<BR/> http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
+string | GetIsRegisteredUser | True |  | isregistereduser<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser
+string | GetPrivatePersonalIdentifier | False | EUPI | ppid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
+string | GetPrimaryGroupSid | True |  | primarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
+string | GetPrimarySid | True |  | primarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
+string | GetProxy | False |  | proxy<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
+string | GetPwdChgEndpoint | False |  | pwdchgurl<BR/> http://schemas.microsoft.com/ws/2012/01/passwordchangeurl
+string | GetPwdExpDays | False |  | pwdexpdays<BR/> http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays
+string | GetPwdExpTime | False |  | pwdexptime<BR/> http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime
+string | GetRelyingPartyTrustId | False |  | relyingpartytrustid<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid
+IEnumerable<string> | GetRole | True |  | role<BR/> roles<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/role
+string | GetSid | True |  | sid
+string | GetUpn | False | EUPI | upn<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
+string | GetWindowsAccountName | False | EUPI | winaccountname<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
+string | GetVerifiedPrimaryEmail | False | EUPI | verified_primary_email
+string | GetVerifiedSecondaryEmail | False | EUPI | verified_secondary_email
+string | GetVNet | False |  | vnet
+string | GetPreferedDataLocation | False |  | xms_pdl
+string | GetUserPreferedLanguage | False |  | xms_tpl
+string | GetZeroTouchDeploymentId | False |  | ztdid
+
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
index acece29b94..db5a1ef219 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
@@ -1,8 +1,11 @@
 <#@ template debug="false" hostspecific="false" language="C#" #>
 <#@ assembly name="System.Core" #>
+<#@ assembly name="netstandard" #>
+<#@ assembly name="$(SolutionDir)\src\System.IdentityModel.Tokens.Jwt\bin\Debug\netstandard2.0\System.IdentityModel.Tokens.Jwt.dll" #>
 <#@ import namespace="System.Linq" #>
 <#@ import namespace="System.Text" #>
 <#@ import namespace="System.Collections.Generic" #>
+<#@ import namespace="System.IdentityModel.Tokens.Jwt" #>
 <#@ output extension=".md" #>
 <#@ include file="ClaimsKnowledge.tti" #>
 
@@ -14,7 +17,32 @@ Type | Accessor | Used for authorization | Privacy | Claims
   foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
   {
 #>
-<#=c.HasMultipleInstances ? "IEnumerable<string>" : "string" #> | Get<#=c.AccessorName #> | <#= c.IsUsableInAuthorizationPolicies #> | <#= c.PrivacyCategory #> | <#= string.Join("<BR/> ", c.AllClaimNames) #>
+<#=c.HasMultipleInstances ? "IEnumerable<string>" : "string" #> | Get<#=c.AccessorName #> | <#= c.IsUsableInAuthorizationPolicies #> | <#= c.PrivacyCategory #> | <#= string.Join("<BR/> ",c.AllClaimNames.Select(c => GetClaimValue(c))) #>
 <#
   }
 #>
+
+<#+
+private string GetClaimValue(string c)
+{
+ if (c.StartsWith("\""))
+ {
+  return c.Trim('"');
+ }
+ else
+ {
+  if (c.StartsWith("JwtRegisteredClaimNames"))
+  {
+   return typeof(JwtRegisteredClaimNames).GetField(c.Substring(c.IndexOf('.')+1)).GetValue(null).ToString();
+  }
+  else if (c.StartsWith("ClaimTypes"))
+  {
+   return typeof(System.Security.Claims.ClaimTypes).GetField(c.Substring(c.IndexOf('.')+1)).GetValue(null).ToString();
+  }
+  else
+  {
+   return c;
+  }
+ }
+}
+#>
diff --git a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
index 4687fd6783..384035faef 100644
--- a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
+++ b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
@@ -15,6 +15,14 @@
     <DebugSymbols>true</DebugSymbols>
   </PropertyGroup>
 
+  <ItemGroup>
+    <Compile Include="ClaimsAccessorsDoc.md">
+      <DesignTime>True</DesignTime>
+      <AutoGen>True</AutoGen>
+      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
+    </Compile>
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">
       <PrivateAssets>all</PrivateAssets>

From 92a1c0a30f2b00f0f1b7b0bb41674c43953b2471 Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Thu, 31 Mar 2022 10:28:23 -0700
Subject: [PATCH 11/13] Fixing a few names

---
 .../ClaimTypeAccessor.gen.cs                  | 38 ++++++++++---------
 .../ClaimsAccessorsDoc.md                     | 10 +++--
 .../ClaimsAccessorsDoc.tt                     |  2 +-
 .../ClaimsKnowledge.tti                       |  8 ++--
 .../Microsoft.IdentityModel.Aad.csproj        |  7 ----
 5 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
index 199fae5800..f54d0249e5 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
@@ -80,14 +80,14 @@ public static string GetActor(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.Actor);
             }
             /// <summary>
-            /// Returns the first claim corresponding to IsGuest claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to IsGuestAccount claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"acct"</description></item>
             /// </list>
             /// This method returns information that is safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsGuest.</param>
-            public static string GetIsGuest(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the IsGuestAccount.</param>
+            public static string GetIsGuestAccount(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -98,14 +98,14 @@ public static string GetIsGuest(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to IsGuest claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to IsGuestAccount claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"acct"</description></item>
             /// </list>
             /// This method returns information that is safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsGuest.</param>
-            public static string GetIsGuest(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the IsGuestAccount.</param>
+            public static string GetIsGuestAccount(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -672,15 +672,15 @@ public static string GetTenantId(this ClaimsIdentity claimsIdentity)
                      "http://schemas.microsoft.com/identity/claims/tenantid");
             }
             /// <summary>
-            /// Returns the first claim corresponding to Acr claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to AuthenticationContextClassReference claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"acr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the Acr.</param>
-            public static string GetAcr(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the AuthenticationContextClassReference.</param>
+            public static string GetAuthenticationContextClassReference(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -692,15 +692,15 @@ public static string GetAcr(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to Acr claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to AuthenticationContextClassReference claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"acr"</description></item>
             /// <item><description>"http://schemas.microsoft.com/claims/authnclassreference"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the Acr.</param>
-            public static string GetAcr(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the AuthenticationContextClassReference.</param>
+            public static string GetAuthenticationContextClassReference(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2006,15 +2006,15 @@ public static string GetDenyOnlySid(this ClaimsIdentity claimsIdentity)
                      ClaimTypes.DenyOnlySid);
             }
             /// <summary>
-            /// Returns the first claim corresponding to DevicedIspName claim on a ClaimsPrincipal
+            /// Returns the first claim corresponding to DeviceDisplayName claim on a ClaimsPrincipal
             /// <list type="bullet">
             /// <item><description>"devicedispname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DevicedIspName.</param>
-            public static string GetDevicedIspName(this ClaimsPrincipal claimsPrincipal)
+            /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceDisplayName.</param>
+            public static string GetDeviceDisplayName(this ClaimsPrincipal claimsPrincipal)
             {
                  if (claimsPrincipal == null)
                  {
@@ -2026,15 +2026,15 @@ public static string GetDevicedIspName(this ClaimsPrincipal claimsPrincipal)
             }
 
             /// <summary>
-            /// Returns the first claim corresponding to DevicedIspName claim on a ClaimsIdentity
+            /// Returns the first claim corresponding to DeviceDisplayName claim on a ClaimsIdentity
             /// <list type="bullet">
             /// <item><description>"devicedispname"</description></item>
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
             /// </summary>
-            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DevicedIspName.</param>
-            public static string GetDevicedIspName(this ClaimsIdentity claimsIdentity)
+            /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceDisplayName.</param>
+            public static string GetDeviceDisplayName(this ClaimsIdentity claimsIdentity)
             {
                  if (claimsIdentity == null)
                  {
@@ -2207,6 +2207,7 @@ public static string GetDeviceOsVer(this ClaimsIdentity claimsIdentity)
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsPrincipal">Claims ClaimsPrincipal from which to get the DeviceOwner.</param>
             public static string GetDeviceOwner(this ClaimsPrincipal claimsPrincipal)
@@ -2227,6 +2228,7 @@ public static string GetDeviceOwner(this ClaimsPrincipal claimsPrincipal)
             /// <item><description>"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner"</description></item>
             /// </list>
             /// This method returns information that is NOT safe to use for authorization.
+            /// The privacy classification of the information returned is EUPI.
             /// </summary>
             /// <param name="claimsIdentity">Claims ClaimsIdentity from which to get the DeviceOwner.</param>
             public static string GetDeviceOwner(this ClaimsIdentity claimsIdentity)
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
index 74da2455a8..1e2b996b3f 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.md
@@ -4,7 +4,10 @@
 Type | Accessor | Used for authorization | Privacy | Claims
 --   | --       | --                     | --      | --     
 string | GetActor | False |  | actort<BR/> http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
+string | GetIsGuestAccount | True |  | acct
+string | GetLastAuthenticatedTime | False |  | auth_time
 string | GetBirthdate | False | EUII | birthdate<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
+string | GetCountry | False | EUII | ctry
 string | GetEmail | False | EUII | email<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
 string | GetFamilyName | False | EUII | family_name<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
 string | GetGender | False | EUII | gender<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
@@ -16,7 +19,7 @@ string | GetUniqueName | False | EUPI | unique_name<BR/> http://schemas.xmlsoap.
 string | GetObjectId | True | EUPI | oid<BR/> http://schemas.microsoft.com/identity/claims/objectidentifier
 IEnumerable<string> | GetScopes | True |  | scp<BR/> http://schemas.microsoft.com/identity/claims/scope
 string | GetTenantId | True | OII | tid<BR/> http://schemas.microsoft.com/identity/claims/tenantid
-string | GetAcr | False |  | acr<BR/> http://schemas.microsoft.com/claims/authnclassreference
+string | GetAuthenticationContextClassReference | False |  | acr<BR/> http://schemas.microsoft.com/claims/authnclassreference
 string | GetAdfs1Email | False | EUPI | adfs1email<BR/> http://schemas.xmlsoap.org/claims/EmailAddress
 string | GetAdfs1Upn | False | EUPI | adfs1upn<BR/> http://schemas.xmlsoap.org/claims/UPN
 string | GetAmr | False |  | amr<BR/> http://schemas.microsoft.com/claims/authnmethodsreferences
@@ -50,12 +53,12 @@ string | GetCommonName | False | EUPI | commonname<BR/> http://schemas.xmlsoap.o
 string | GetDenyOnlyPrimaryGroupSid | False |  | denyonlyprimarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid
 string | GetDenyOnlyPrimarySid | False |  | denyonlyprimarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid
 string | GetDenyOnlySid | False |  | denyonlysid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
-string | GetDevicedIspName | False |  | devicedispname<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname
+string | GetDeviceDisplayName | False |  | devicedispname<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname
 string | GetDeviceId | False |  | deviceid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier
 string | GetDeviceIsManaged | False |  | deviceismanaged<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged
 string | GetDeviceOsType | False |  | deviceostype<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype
 string | GetDeviceOsVer | False |  | deviceosver<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion
-string | GetDeviceOwner | False |  | deviceowner<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner
+string | GetDeviceOwner | False | EUPI | deviceowner<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner
 string | GetDeviceRegId | False |  | deviceregid<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid
 string | GetEndpointPath | False |  | endpointpath<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path
 string | GetForwardedClientIp | False |  | forwardedclientip<BR/> http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
@@ -65,6 +68,7 @@ string | GetTokenType | False |  | idtyp
 string | GetIdp | True |  | idp<BR/> http://schemas.microsoft.com/identity/claims/identityprovider
 string | GetInsideCorporateNetwork | True |  | insidecorporatenetwork<BR/> http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork
 string | GetIsRegisteredUser | True |  | isregistereduser<BR/> http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser
+string | GetLoginHint | False |  | login_hint
 string | GetPrivatePersonalIdentifier | False | EUPI | ppid<BR/> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
 string | GetPrimaryGroupSid | True |  | primarygroupsid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
 string | GetPrimarySid | True |  | primarysid<BR/> http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
index db5a1ef219..51bf4f495e 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsAccessorsDoc.tt
@@ -14,7 +14,7 @@
 Type | Accessor | Used for authorization | Privacy | Claims
 --   | --       | --                     | --      | --     
 <# 
-  foreach(ClaimsKnowledge c in claimsKnowledge.Where(c => c.GenerateMapping)) 
+  foreach(ClaimsKnowledge c in claimsKnowledge) 
   {
 #>
 <#=c.HasMultipleInstances ? "IEnumerable<string>" : "string" #> | Get<#=c.AccessorName #> | <#= c.IsUsableInAuthorizationPolicies #> | <#= c.PrivacyCategory #> | <#= string.Join("<BR/> ",c.AllClaimNames.Select(c => GetClaimValue(c))) #>
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti b/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
index 77c5e1ea6f..454a3a79fb 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsKnowledge.tti
@@ -54,7 +54,7 @@ class ClaimsKnowledge
 ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
 {
         new ClaimsKnowledge("Actor", false, false, true, "", "ClaimTypes.Actor", "JwtRegisteredClaimNames.Actort"),
-        new ClaimsKnowledge("IsGuest", false, true, false, "", "\"acct\""),
+        new ClaimsKnowledge("IsGuestAccount", false, true, false, "", "\"acct\""),
         new ClaimsKnowledge("LastAuthenticatedTime", false, false, false, "", "\"auth_time\""),
         new ClaimsKnowledge("Birthdate", false, false, true, "EUII", "ClaimTypes.DateOfBirth", "JwtRegisteredClaimNames.Birthdate"),
         new ClaimsKnowledge("Country", false, false, false, "EUII", "\"ctry\""),
@@ -69,7 +69,7 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("ObjectId", false, true, true, "EUPI", "\"http://schemas.microsoft.com/identity/claims/objectidentifier\"", "\"oid\""),
         new ClaimsKnowledge("Scopes", true, true, true, "", "\"http://schemas.microsoft.com/identity/claims/scope\"", "\"scp\""),
         new ClaimsKnowledge("TenantId", false, true, true, "OII", "\"http://schemas.microsoft.com/identity/claims/tenantid\"", "\"tid\""),
-        new ClaimsKnowledge("Acr", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnclassreference\"", "\"acr\""),
+        new ClaimsKnowledge("AuthenticationContextClassReference", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnclassreference\"", "\"acr\""),
         new ClaimsKnowledge("Adfs1Email", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/EmailAddress\"", "\"adfs1email\""),
         new ClaimsKnowledge("Adfs1Upn", false, false, true, "EUPI", "\"http://schemas.xmlsoap.org/claims/UPN\"", "\"adfs1upn\""),
         new ClaimsKnowledge("Amr", false, false, true, "", "\"http://schemas.microsoft.com/claims/authnmethodsreferences\"", "\"amr\""),
@@ -103,12 +103,12 @@ ClaimsKnowledge[] claimsKnowledge = new ClaimsKnowledge[]
         new ClaimsKnowledge("DenyOnlyPrimaryGroupSid", false, false, true, "", "ClaimTypes.DenyOnlyPrimaryGroupSid", "\"denyonlyprimarygroupsid\""),
         new ClaimsKnowledge("DenyOnlyPrimarySid", false, false, true, "", "ClaimTypes.DenyOnlyPrimarySid", "\"denyonlyprimarysid\""),
         new ClaimsKnowledge("DenyOnlySid", false, false, true, "", "ClaimTypes.DenyOnlySid", "\"denyonlysid\""),
-        new ClaimsKnowledge("DevicedIspName", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname\"", "\"devicedispname\""),
+        new ClaimsKnowledge("DeviceDisplayName", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname\"", "\"devicedispname\""),
         new ClaimsKnowledge("DeviceId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier\"", "\"deviceid\""),
         new ClaimsKnowledge("DeviceIsManaged", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged\"", "\"deviceismanaged\""),
         new ClaimsKnowledge("DeviceOsType", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype\"", "\"deviceostype\""),
         new ClaimsKnowledge("DeviceOsVer", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion\"", "\"deviceosver\""),
-        new ClaimsKnowledge("DeviceOwner", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner\"", "\"deviceowner\""),
+        new ClaimsKnowledge("DeviceOwner", false, false, true, "EUPI", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner\"", "\"deviceowner\""),
         new ClaimsKnowledge("DeviceRegId", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid\"", "\"deviceregid\""),
         new ClaimsKnowledge("EndpointPath", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path\"", "\"endpointpath\""),
         new ClaimsKnowledge("ForwardedClientIp", false, false, true, "", "\"http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip\"", "\"forwardedclientip\""),
diff --git a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
index 384035faef..b0698d98bb 100644
--- a/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
+++ b/src/Microsoft.IdentityModel.Aad/Microsoft.IdentityModel.Aad.csproj
@@ -15,13 +15,6 @@
     <DebugSymbols>true</DebugSymbols>
   </PropertyGroup>
 
-  <ItemGroup>
-    <Compile Include="ClaimsAccessorsDoc.md">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>ClaimsAccessorsDoc.tt</DependentUpon>
-    </Compile>
-  </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="3.0.0">

From 6140071b3d4f8be524d7460cd9dd537b9d0a875b Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Thu, 31 Mar 2022 10:45:02 -0700
Subject: [PATCH 12/13] Added methods to get the claims equivalent

---
 .../ClaimTypeAccessor.gen.cs                  | 162 ++++++++++++++++++
 .../ClaimTypeAccessor.tt                      |  16 ++
 .../ClaimsTypeAccessor.cs                     |  93 ++++++++++
 3 files changed, 271 insertions(+)

diff --git a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
index f54d0249e5..121adf4b95 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
@@ -3314,5 +3314,167 @@ public static string GetZeroTouchDeploymentId(this ClaimsIdentity claimsIdentity
                  return claimsIdentity.GetClaimValue(
                      "ztdid");
             }
+
+
+            private static Dictionary<string, string[]> equivalentClaims = new Dictionary<string, string[]>
+            {
+                { JwtRegisteredClaimNames.Actort, new string[]{ JwtRegisteredClaimNames.Actort, ClaimTypes.Actor } },
+                { ClaimTypes.Actor, new string[]{ JwtRegisteredClaimNames.Actort, ClaimTypes.Actor } },
+                { "acct", new string[]{ "acct" } },
+                { "auth_time", new string[]{ "auth_time" } },
+                { JwtRegisteredClaimNames.Birthdate, new string[]{ JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth } },
+                { ClaimTypes.DateOfBirth, new string[]{ JwtRegisteredClaimNames.Birthdate, ClaimTypes.DateOfBirth } },
+                { "ctry", new string[]{ "ctry" } },
+                { JwtRegisteredClaimNames.Email, new string[]{ JwtRegisteredClaimNames.Email, ClaimTypes.Email } },
+                { ClaimTypes.Email, new string[]{ JwtRegisteredClaimNames.Email, ClaimTypes.Email } },
+                { JwtRegisteredClaimNames.FamilyName, new string[]{ JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname } },
+                { ClaimTypes.Surname, new string[]{ JwtRegisteredClaimNames.FamilyName, ClaimTypes.Surname } },
+                { JwtRegisteredClaimNames.Gender, new string[]{ JwtRegisteredClaimNames.Gender, ClaimTypes.Gender } },
+                { ClaimTypes.Gender, new string[]{ JwtRegisteredClaimNames.Gender, ClaimTypes.Gender } },
+                { JwtRegisteredClaimNames.GivenName, new string[]{ JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName } },
+                { ClaimTypes.GivenName, new string[]{ JwtRegisteredClaimNames.GivenName, ClaimTypes.GivenName } },
+                { JwtRegisteredClaimNames.NameId, new string[]{ JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier } },
+                { ClaimTypes.NameIdentifier, new string[]{ JwtRegisteredClaimNames.NameId, ClaimTypes.NameIdentifier } },
+                { JwtRegisteredClaimNames.Sub, new string[]{ JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier } },
+                { ClaimTypes.NameIdentifier, new string[]{ JwtRegisteredClaimNames.Sub, ClaimTypes.NameIdentifier } },
+                { JwtRegisteredClaimNames.Website, new string[]{ JwtRegisteredClaimNames.Website, ClaimTypes.Webpage } },
+                { ClaimTypes.Webpage, new string[]{ JwtRegisteredClaimNames.Website, ClaimTypes.Webpage } },
+                { JwtRegisteredClaimNames.UniqueName, new string[]{ JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name } },
+                { ClaimTypes.Name, new string[]{ JwtRegisteredClaimNames.UniqueName, ClaimTypes.Name } },
+                { "oid", new string[]{ "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" } },
+                { "http://schemas.microsoft.com/identity/claims/objectidentifier", new string[]{ "oid", "http://schemas.microsoft.com/identity/claims/objectidentifier" } },
+                { "scp", new string[]{ "scp", "http://schemas.microsoft.com/identity/claims/scope" } },
+                { "http://schemas.microsoft.com/identity/claims/scope", new string[]{ "scp", "http://schemas.microsoft.com/identity/claims/scope" } },
+                { "tid", new string[]{ "tid", "http://schemas.microsoft.com/identity/claims/tenantid" } },
+                { "http://schemas.microsoft.com/identity/claims/tenantid", new string[]{ "tid", "http://schemas.microsoft.com/identity/claims/tenantid" } },
+                { "acr", new string[]{ "acr", "http://schemas.microsoft.com/claims/authnclassreference" } },
+                { "http://schemas.microsoft.com/claims/authnclassreference", new string[]{ "acr", "http://schemas.microsoft.com/claims/authnclassreference" } },
+                { "adfs1email", new string[]{ "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" } },
+                { "http://schemas.xmlsoap.org/claims/EmailAddress", new string[]{ "adfs1email", "http://schemas.xmlsoap.org/claims/EmailAddress" } },
+                { "adfs1upn", new string[]{ "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" } },
+                { "http://schemas.xmlsoap.org/claims/UPN", new string[]{ "adfs1upn", "http://schemas.xmlsoap.org/claims/UPN" } },
+                { "amr", new string[]{ "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" } },
+                { "http://schemas.microsoft.com/claims/authnmethodsreferences", new string[]{ "amr", "http://schemas.microsoft.com/claims/authnmethodsreferences" } },
+                { "authmethod", new string[]{ "authmethod", ClaimTypes.AuthenticationMethod } },
+                { ClaimTypes.AuthenticationMethod, new string[]{ "authmethod", ClaimTypes.AuthenticationMethod } },
+                { "certapppolicy", new string[]{ "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy", new string[]{ "certapppolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" } },
+                { "certauthoritykeyidentifier", new string[]{ "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier", new string[]{ "certauthoritykeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" } },
+                { "certbasicconstraints", new string[]{ "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints", new string[]{ "certbasicconstraints", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" } },
+                { "certeku", new string[]{ "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku", new string[]{ "certeku", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" } },
+                { "certissuer", new string[]{ "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer", new string[]{ "certissuer", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" } },
+                { "certissuername", new string[]{ "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername", new string[]{ "certissuername", "http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" } },
+                { "certkeyusage", new string[]{ "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage", new string[]{ "certkeyusage", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" } },
+                { "certnotafter", new string[]{ "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter", new string[]{ "certnotafter", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" } },
+                { "certnotbefore", new string[]{ "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore", new string[]{ "certnotbefore", "http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" } },
+                { "certpolicy", new string[]{ "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy", new string[]{ "certpolicy", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" } },
+                { "certpublickey", new string[]{ "certpublickey", ClaimTypes.Rsa } },
+                { ClaimTypes.Rsa, new string[]{ "certpublickey", ClaimTypes.Rsa } },
+                { "certrawdata", new string[]{ "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata", new string[]{ "certrawdata", "http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" } },
+                { "certserialnumber", new string[]{ "certserialnumber", ClaimTypes.SerialNumber } },
+                { ClaimTypes.SerialNumber, new string[]{ "certserialnumber", ClaimTypes.SerialNumber } },
+                { "certsignaturealgorithm", new string[]{ "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm", new string[]{ "certsignaturealgorithm", "http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" } },
+                { "certsubject", new string[]{ "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject", new string[]{ "certsubject", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" } },
+                { "certsubjectaltname", new string[]{ "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san", new string[]{ "certsubjectaltname", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" } },
+                { "certsubjectkeyidentifier", new string[]{ "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier", new string[]{ "certsubjectkeyidentifier", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" } },
+                { "certsubjectname", new string[]{ "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname", new string[]{ "certsubjectname", "http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" } },
+                { "certtemplateinformation", new string[]{ "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation", new string[]{ "certtemplateinformation", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" } },
+                { "certtemplatename", new string[]{ "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename", new string[]{ "certtemplatename", "http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" } },
+                { "certthumbprint", new string[]{ "certthumbprint", ClaimTypes.Thumbprint } },
+                { ClaimTypes.Thumbprint, new string[]{ "certthumbprint", ClaimTypes.Thumbprint } },
+                { "certx509version", new string[]{ "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" } },
+                { "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version", new string[]{ "certx509version", "http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" } },
+                { "clientapplication", new string[]{ "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", new string[]{ "clientapplication", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" } },
+                { "clientip", new string[]{ "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", new string[]{ "clientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" } },
+                { "clientuseragent", new string[]{ "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", new string[]{ "clientuseragent", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" } },
+                { "commonname", new string[]{ "commonname", "http://schemas.xmlsoap.org/claims/CommonName" } },
+                { "http://schemas.xmlsoap.org/claims/CommonName", new string[]{ "commonname", "http://schemas.xmlsoap.org/claims/CommonName" } },
+                { "denyonlyprimarygroupsid", new string[]{ "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid } },
+                { ClaimTypes.DenyOnlyPrimaryGroupSid, new string[]{ "denyonlyprimarygroupsid", ClaimTypes.DenyOnlyPrimaryGroupSid } },
+                { "denyonlyprimarysid", new string[]{ "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid } },
+                { ClaimTypes.DenyOnlyPrimarySid, new string[]{ "denyonlyprimarysid", ClaimTypes.DenyOnlyPrimarySid } },
+                { "denyonlysid", new string[]{ "denyonlysid", ClaimTypes.DenyOnlySid } },
+                { ClaimTypes.DenyOnlySid, new string[]{ "denyonlysid", ClaimTypes.DenyOnlySid } },
+                { "devicedispname", new string[]{ "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname", new string[]{ "devicedispname", "http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" } },
+                { "deviceid", new string[]{ "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier", new string[]{ "deviceid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" } },
+                { "deviceismanaged", new string[]{ "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged", new string[]{ "deviceismanaged", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" } },
+                { "deviceostype", new string[]{ "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype", new string[]{ "deviceostype", "http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" } },
+                { "deviceosver", new string[]{ "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion", new string[]{ "deviceosver", "http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" } },
+                { "deviceowner", new string[]{ "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner", new string[]{ "deviceowner", "http://schemas.microsoft.com/2012/01/devicecontext/claims/userowner" } },
+                { "deviceregid", new string[]{ "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid", new string[]{ "deviceregid", "http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" } },
+                { "endpointpath", new string[]{ "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", new string[]{ "endpointpath", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" } },
+                { "forwardedclientip", new string[]{ "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", new string[]{ "forwardedclientip", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" } },
+                { "group", new string[]{ "group", "http://schemas.xmlsoap.org/claims/Group" } },
+                { "http://schemas.xmlsoap.org/claims/Group", new string[]{ "group", "http://schemas.xmlsoap.org/claims/Group" } },
+                { "groupsid", new string[]{ "groupsid", ClaimTypes.GroupSid } },
+                { ClaimTypes.GroupSid, new string[]{ "groupsid", ClaimTypes.GroupSid } },
+                { "idtyp", new string[]{ "idtyp" } },
+                { "idp", new string[]{ "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" } },
+                { "http://schemas.microsoft.com/identity/claims/identityprovider", new string[]{ "idp", "http://schemas.microsoft.com/identity/claims/identityprovider" } },
+                { "insidecorporatenetwork", new string[]{ "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" } },
+                { "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", new string[]{ "insidecorporatenetwork", "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" } },
+                { "isregistereduser", new string[]{ "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" } },
+                { "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser", new string[]{ "isregistereduser", "http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" } },
+                { "login_hint", new string[]{ "login_hint" } },
+                { "ppid", new string[]{ "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" } },
+                { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier", new string[]{ "ppid", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" } },
+                { "primarygroupsid", new string[]{ "primarygroupsid", ClaimTypes.PrimaryGroupSid } },
+                { ClaimTypes.PrimaryGroupSid, new string[]{ "primarygroupsid", ClaimTypes.PrimaryGroupSid } },
+                { "primarysid", new string[]{ "primarysid", ClaimTypes.PrimarySid } },
+                { ClaimTypes.PrimarySid, new string[]{ "primarysid", ClaimTypes.PrimarySid } },
+                { "proxy", new string[]{ "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy", new string[]{ "proxy", "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" } },
+                { "pwdchgurl", new string[]{ "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" } },
+                { "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl", new string[]{ "pwdchgurl", "http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" } },
+                { "pwdexpdays", new string[]{ "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" } },
+                { "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays", new string[]{ "pwdexpdays", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" } },
+                { "pwdexptime", new string[]{ "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" } },
+                { "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime", new string[]{ "pwdexptime", "http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" } },
+                { "relyingpartytrustid", new string[]{ "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" } },
+                { "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid", new string[]{ "relyingpartytrustid", "http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" } },
+                { "role", new string[]{ "role", "roles", ClaimTypes.Role } },
+                { "roles", new string[]{ "role", "roles", ClaimTypes.Role } },
+                { ClaimTypes.Role, new string[]{ "role", "roles", ClaimTypes.Role } },
+                { "sid", new string[]{ "sid" } },
+                { "upn", new string[]{ "upn", ClaimTypes.Upn } },
+                { ClaimTypes.Upn, new string[]{ "upn", ClaimTypes.Upn } },
+                { "winaccountname", new string[]{ "winaccountname", ClaimTypes.WindowsAccountName } },
+                { ClaimTypes.WindowsAccountName, new string[]{ "winaccountname", ClaimTypes.WindowsAccountName } },
+                { "verified_primary_email", new string[]{ "verified_primary_email" } },
+                { "verified_secondary_email", new string[]{ "verified_secondary_email" } },
+                { "vnet", new string[]{ "vnet" } },
+                { "xms_pdl", new string[]{ "xms_pdl" } },
+                { "xms_tpl", new string[]{ "xms_tpl" } },
+                { "ztdid", new string[]{ "ztdid" } },
+            };
         }
 }
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
index cb78f8f560..96c7278f9b 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
@@ -193,5 +193,21 @@ namespace System.IdentityModel.Aad
      }
  }
 #>
+
+
+            private static Dictionary<string, string[]> equivalentClaims = new Dictionary<string, string[]>
+            {
+<#
+  foreach(ClaimsKnowledge c in claimsKnowledge) 
+  {
+        foreach(string claim in c.AllClaimNames)
+        {
+#>
+                { <#=claim#>, new string[]{ <#= string.Join(", ", c.AllClaimNames) #> } },
+<#
+        }
+  }
+#>
+            };
         }
 }
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
index 49756b52f2..4d5e65d919 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
@@ -55,6 +55,99 @@ public static bool ContainsAnyClaim(this ClaimsPrincipal user, params string[] r
             return user.Claims.Any(claim => requiredClaims.Contains(claim.Type));
         }
 
+        /// <summary>
+        /// Get the first value of a claim or its equivalent
+        /// </summary>
+        /// <param name="user">Claims principal</param>
+        /// <param name="claimType">Claims type</param>
+        /// <returns></returns>
+        public static string GetEquivalentClaim(this ClaimsPrincipal user, string claimType)
+        {
+            if (equivalentClaims.TryGetValue(claimType, out string[] equivalents))
+            {
+                return GetClaimValue(user, equivalents);
+            }
+            else
+            {
+                return null;
+            }    
+        }
+
+        /// <summary>
+        /// Get the first value of a claim or its equivalent
+        /// </summary>
+        /// <param name="claimsIdentity">Claims identity.</param>
+        /// <param name="claimType">Claims type</param>
+        /// <returns></returns>
+        public static string GetEquivalentClaim(this ClaimsIdentity claimsIdentity, string claimType)
+        {
+            if (equivalentClaims.TryGetValue(claimType, out string[] equivalents))
+            {
+                return GetClaimValue(claimsIdentity, equivalents);
+            }
+            else
+            {
+                return null;
+            }
+        }
+
+        /// <summary>
+        /// Get the first value of a claim or its equivalent
+        /// </summary>
+        /// <param name="user">Claims principal</param>
+        /// <param name="claimType">Claims type.</param>
+        /// <returns>All the values of the claims or its equivalents.</returns>
+        public static IEnumerable<string> GetAllEquivalentClaims(this ClaimsPrincipal user, string claimType)
+        {
+            if (user is null)
+            {
+                throw new ArgumentNullException(nameof(user));
+            }
+
+            if (string.IsNullOrEmpty(claimType))
+            {
+                throw new ArgumentException($"'{nameof(claimType)}' cannot be null or empty.", nameof(claimType));
+            }
+
+            if (equivalentClaims.TryGetValue(claimType, out string[] equivalents))
+            {
+                return GetAllClaimValues(user, equivalents);
+            }
+            else
+            {
+                return null;
+            }
+        }
+
+        /// <summary>
+        /// Get the first value of a claim or its equivalent
+        /// </summary>
+        /// <param name="claimsIdentity">Claims identity.</param>
+        /// <param name="claimType">Claims type.</param>
+        /// <returns>All the values of the claims or its equivalents.</returns>
+        public static IEnumerable<string> GetAllEquivalentClaims(this ClaimsIdentity claimsIdentity, string claimType)
+        {
+            if (claimsIdentity is null)
+            {
+                throw new ArgumentNullException(nameof(claimsIdentity));
+            }
+
+            if (string.IsNullOrEmpty(claimType))
+            {
+                throw new ArgumentException($"'{nameof(claimType)}' cannot be null or empty.", nameof(claimType));
+            }
+
+            if (equivalentClaims.TryGetValue(claimType, out string[] equivalents))
+            {
+                return GetAllClaimValues(claimsIdentity, equivalents);
+            }
+            else
+            {
+                return null;
+            }
+        }
+
+
         /// <summary> 
         /// Get the value of a claim including several overrides of the claims (due to ASP.NET 
         /// and ASP.NET Core using Claims mapping) 

From a38cc2ff8e7db7b788990ebda88ec8613d46840f Mon Sep 17 00:00:00 2001
From: Jean-Marc Prieur <jmprieur@microsoft.com>
Date: Wed, 6 Apr 2022 10:31:54 -0700
Subject: [PATCH 13/13] Fixing the namespaces

---
 src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs | 3 ++-
 src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt     | 3 ++-
 src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs    | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
index 121adf4b95..60e9a4cda1 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.gen.cs
@@ -28,11 +28,12 @@
 // THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeAccessor.tt USING T4
 // DON'T UPDATE MANUALLY
 
+using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Aad
+namespace Microsoft.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
index 96c7278f9b..2ecbe7aa4d 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
+++ b/src/Microsoft.IdentityModel.Aad/ClaimTypeAccessor.tt
@@ -35,11 +35,12 @@
 // THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeAccessor.tt USING T4
 // DON'T UPDATE MANUALLY
 
+using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
 
-namespace System.IdentityModel.Aad
+namespace Microsoft.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible
diff --git a/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
index 4d5e65d919..ae42369004 100644
--- a/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
+++ b/src/Microsoft.IdentityModel.Aad/ClaimsTypeAccessor.cs
@@ -28,11 +28,12 @@
 // THIS FILE IS AUTOMATICALLY GENERATED FROM ClaimsTypeMapping.tt USING T4
 // DON'T UPDATE MANUALLY
 
+using System;
 using System.Collections.Generic;
 using System.Security.Claims;
 using System.Linq;
 
-namespace System.IdentityModel.Aad
+namespace Microsoft.IdentityModel.Aad
 {
     /// <summary>
     /// Defines extension methods to access claims by purpose, and not by name, making it compatible