locked
Add claims RRS feed

  • Question

  • User1348874006 posted

    I'm developing an ASP.Net MVC5 web app that needs to connect to an existing system.  The site authentication uses the standard out of the box classes you get when creating new ASP web app but stripped down so that an Admin user can only register a new account.  The database with the user accounts being held in App_data.

    Confirming login needs to be two part process.  User account must not only exist in the local DB holding the web accounts, they must also exists in out main system.   This has been done by changing the AccountController login action so that when confirmed by the SignInManager, we then connect to the other database and validate the user account.

    Once the user account has been validated in the other database I would like to add the ID as a Claim to current User.  How do I do this?    User.Identity is currently GenericIdentity.

    public async Task<ActionResult> Login( LoginViewModel model, string returnUrl)
    {
    ...
    ...

    var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false); if (result == SignInStatus.Success) { try { var nssUser = myOtherDB.UserRepository.FetchByEmail(model.Email); if (nssUser == null || !nssUser.AllowWebAccess) { authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); result = SignInStatus.Failure; } else // user is confirmed in other db {
                             // ********************************************************************* // I would like to add the nssUser.UserID as a claim to the User.Identity at this point
                             // ********************************************************************** } } catch { authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); result = SignInStatus.Failure; } } switch (result) { case SignInStatus.Success: return redirectToLocal(returnUrl); case SignInStatus.LockedOut: return View("Lockout"); case SignInStatus.RequiresVerification: // this is for code notification via phone. Email varification is captured above case SignInStatus.Failure: default: ModelState.AddModelError("", "Invalid login attempt."); return View(model); } ....

    Thanks in advance

    Andrew

    Thursday, October 22, 2015 12:34 PM

Answers

All replies

  • User-986267747 posted

    Hi _Andy,

    I would like to add the ID as a Claim to current User.

    I'm not sure why you want to add Id as a Claim. In my experience, you could try with the code below to add claims.

                    var identity = (ClaimsIdentity)User.Identity;
                    IEnumerable<Claim> claims = identity.Claims;
    
                    claims .AddClaim(new Claim(ClaimTypes.Role, "guest"));
                    claims .AddClaim(new Claim(ClaimTypes.GivenName, "A Person"));
                    claims .AddClaim(new Claim(ClaimTypes.Sid, user.userID));
    
    
                   AuthenticationManager.SignIn(new AuthenticationProperties
                    {
                        IsPersistent = model.RememberMe
                    }, identity);
    
    
    

    Besides, About using Claims in asp.net Identity, you could refer to the following links.

    http://kevin-junghans.blogspot.com/2013/12/using-claims-in-aspnet-identity.html

    http://leastprivilege.com/2015/07/21/the-state-of-security-in-asp-net-5-and-mvc-6-claims-authentication/

    I hope it's helpful to you.

    Best Regards,

    Klein zhang

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, October 23, 2015 2:28 AM
  • User1348874006 posted

    Hi Klein,

    Thanks for your reply.  The user id is the associated record ID for that user our other system. 

    var nssUser = _uow.NSSUserRepository.FetchByEmail(model.Email);
    ...

    In our other system, the APIs to retrieve data the user is permitted to access requires the current user ID.  Adding it as a Claim to the PrincipleUser not only confirms they're a user in our other system, but also reduces the need to lookup that user for the ID on every request.

    Regards,

    Andrew

    Friday, October 23, 2015 3:57 AM
  • User1348874006 posted

    What I didn't realise is that you need to SignOut and the SignIn to update the cookie with the added claims.

    authenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
    
    var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
    
    identity.AddClaim(new Claim("MyNewClaim", "MyClaimValue"));
    
    authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = model.RememberMe }, identity);
    
    

    Thanks again.

    Andrew

    Friday, October 23, 2015 5:10 AM