src/api/SIGCM2.Infrastructure/DependencyInjection.cs

@@ -72,10 +72,13 @@ public static class DependencyInjection
         services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddJwtBearer();
 
-        // Post-configure JWT Bearer — wire RSA public key + validation params from resolved options
+        // Post-configure JWT Bearer — wire RSA public key + validation params from resolved options.
+        // MapInboundClaims=false: preserve JWT claim names as-is ("sub", "rol", etc.).
+        // Without this, the middleware maps "sub" → ClaimTypes.NameIdentifier and breaks User.FindFirst("sub").
         services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
             .PostConfigure<RsaSecurityKey, JwtOptions>((jwtBearerOpts, rsaKey, jwtOpts) =>
             {
+                jwtBearerOpts.MapInboundClaims = false;
                 jwtBearerOpts.TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuerSigningKey = true,
@@ -86,7 +89,8 @@ public static class DependencyInjection
                     ValidAudience = jwtOpts.Audience,
                     ValidateLifetime = true,
                     ClockSkew = TimeSpan.Zero,
-                    RoleClaimType = "rol"
+                    RoleClaimType = "rol",
+                    NameClaimType = "name"
                 };
             });