Menu
I am using asp.net identity (WebApi 2, MVC 5, not .net core) to add claims to my user's identity when she logs in from our singe page application. This looks like this (I have stripped out the checks for invalid names, locked accounts, etc)
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var userManager = context.OwinContext.GetUserManager<CompWalkUserManager>();
var user = await userManager.FindByNameAsync(context.UserName);
var check = await userManager.CheckPasswordAsync(user, context.Password);
if (!check)
{
await userManager.AccessFailedAsync(user.Id);
context.SetError("invalid_grant", invalidUser);
return;
}
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
OAuthDefaults.AuthenticationType);
ClaimsIdentity cookiesIdentity = await user.GenerateUserIdentityAsync(userManager,
CookieAuthenticationDefaults.AuthenticationType);
//These claims are key/value pairs stored in the local database
var claims = GetClaimsForUser(user);
cookiesIdentity.AddClaims(claims);
oAuthIdentity.AddClaims(claims);
AuthenticationProperties properties = CreateProperties(user.UserName);
AuthenticationTicket ticket = new AuthenticationTicket(oAuthIdentity, properties);
context.Validated(ticket);
context.Request.Context.Authentication.SignIn(cookiesIdentity);
}
At this point, everything is working as expected. I can check the user's claims via an AuthorizationFilterAttribute as methods on my api are called.
However, it is possible that an administrator might change the values of the claims while the user is logged in (our tokens are good for 14 days). As an example we have a claim named Locations with a value of EditAndDelete. The admin might change this value to NoAccess in the database, but the authentication will not know about about this.
I can see that at run-time I can add or remove claims from my identity, but these changes do not persist past the current request. Is there a way to update the auth ticket in the cookies on the fly? I would like to be able to update my Identity with the new value without having the user have to log out.
967
SignInAsync(HttpContext, String, ClaimsPrincipal, AuthenticationProperties) Sign in a principal for the specified scheme.
ClaimsPrincipal exposes a collection of identities, each of which is a ClaimsIdentity. In the common case, this collection, which is accessed through the Identities property, will only have a single element.
A claim is a name value pair that represents what the subject is, not what the subject can do. For example, you may have a driver's license, issued by a local driving license authority. Your driver's license has your date of birth on it.
If you want to go the Identity way of doing that, you need to hit the db on every login. You set the SecurityStamp validation interval to 0:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromSeconds(0),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
When the permissions are changed for a user, you update their securitystamp:
UserManager.UpdateSecurityStamp(userId);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
