Menu
I am creating an enterprise intranet ASP.NET Core MVC application. I want my users to authenticate using Active Directory and I want user authorizations (claims) stored in ApplicationDbContext.
I assume that I need to use Microsoft.AspNetCore.Identity and Microsoft.AspNetCore.Identity.EntityFrameworkCore to accomplish my goals. What is the best practice for storing ASP.NET Core Authorization claims when authenticating against Active Directory?
The following code will give me access to the current windows user security context (current logged in user), from within the pipeline. Somehow I need to map the user with associated Microsoft.AspNetCore.Identity claims?
app.Use(async (context, next) =>
{
var identity = (ClaimsIdentity) context.User.Identity;
await next.Invoke();
});
Thanks in advance for the help!
819
The claims-based authorization works by checking if the user has a claim to access an URL. In ASP.NET Core we create policies to implement the Claims-Based Authorization. The policy defines what claims that user must process to satisfy the policy. We apply the policy on the Controller, action method, razor page, etc.
Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.
Claims can be created from any user or identity data which can be issued using a trusted identity provider or ASP.NET Core identity. A claim is a name value pair that represents what the subject is, not what the subject can do.
Authentication. Negotiate NuGet package can be used with Kestrel to support Windows Authentication using Negotiate and Kerberos on Windows, Linux, and macOS. Credentials can be persisted across requests on a connection.
I don't think there is a best practice around this, but you do have many options. Perhaps you could elaborate a little on what you're trying to achieve? Here's a few pointers that may help you sort some of this out. Just a question...what are you using to authenticate against AD under the hood? If you use IdentityServer or something similar then I would recommend leaning towards option 4.
ApplicationUser propertyFirst off, claims are simply key-value pairs. This means that you could create a structure such as:
public class UserClaim
{
public string UserName {get; set;}
public string Key {get; set;}
public string Value {get; set;}
}
This would allow you to store the claims in your ApplicationUser class.
UserManager
Better yet, you could leverage the built in identity components by injecting a UserManager<ApplicationUser> userManager into the class where you wish to add the user claims, and then call AddClaim() with the appropriate values. Because of the DI system in Core, you're free to do this in any class that will be activated by the runtime.
An other approach would be to augment the UserClaim class with a UserName property, then use the unique identifier of the principle (User.Identity.Name). Then you could store that in a DbSet<UserClaim> in your ApplicationDbContext and fetch the claims by user name.
If you just need to access the claims, and not store them (I'm not sure of your intentions from your question) then you might be best just to access the User property if you're in a controller, provided you're using an authentication service that hydrates the claims correctly.
The User is decorated with the claims that belong to the user that signed in to your app and is available on every controller.
You can otherwise obtain the ClaimsPrinciple and access the claims of the user in that manner. In that case (outside of a controller) what you would do is to add an IHttpContextAccessor accessor to the constructor of your class and navigate to the HttpContextAccessor.HttpContext.User property, which is again a ClaimsPrinciple.
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
