Extending ClaimsIdentity in MVC3

Question

I've got my claims set-up with MVC3 using azure and everything is going well.

What I need to do now is extend the Claims Identity that's in the current thread / http context and add my own information (DOB, Address.. that sort of stuff)

so my question is - where is the best place to do this? any examples would be great..

I presume that when the user is authenticated id then have to go to the DB and pull back the relevant record for the user then add it to the custom Claims Identity object?

Answer 1

Typically you will have a httpmodule that will inspect the cookies and once the FedAuth token is found, you have a hook to build your Claims Principal and identities.

You don't typically need to store the user's entire profile, just useful things that wont typically change that often. I do this inside of an actionfilter.

Here is the code I found that does all of this.

https://github.com/wcpro/ScaffR/tree/master/src/ScaffR.Security/content/CodeTemplates/Scaffolders/ScaffR.Security

You may have to do a little digging but its all there.

Here is the code for the http module

public class ClaimsTransformationHttpModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PostAuthenticateRequest += context_PostAuthenticateRequest;
    }

    void context_PostAuthenticateRequest(object sender, EventArgs e)
    {
        var context = ((HttpApplication) sender).Context;

        if (FederatedAuthentication.SessionAuthenticationModule != null &&
            FederatedAuthentication.SessionAuthenticationModule.ContainsSessionTokenCookie(context.Request.Cookies))
        {
            return;
        }

        var transformer = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager;

        if (transformer != null)
        {
            var transformedPrincipal = transformer.Authenticate(context.Request.RawUrl, context.User as ClaimsPrincipal);

            context.User = transformedPrincipal;
            Thread.CurrentPrincipal = transformedPrincipal;
        }
    }

    public void Dispose() { }
}

Here is the Claims Transformer

    public partial class ClaimsTransformer : ClaimsAuthenticationManager
{
    partial void SetCustomPrincipalClaims(IUserService userService, ref ClaimsPrincipal principal);

    public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (!incomingPrincipal.Identity.IsAuthenticated)
        {
            return incomingPrincipal;
        }

        var newPrincipal = Transform(incomingPrincipal);

        EstablishSession(newPrincipal);

        return newPrincipal;
    }

    ClaimsPrincipal Transform(ClaimsPrincipal incomingPrincipal)
    {
        var nameClaim = incomingPrincipal.Identities.First().FindFirst(ClaimTypes.Name);

        var userService = DependencyResolver.Current.GetService<IUserService>();

        var user = userService.GetByUsername(nameClaim.Value);

        var id = new ApplicationIdentity(user);

        var principal = new ClaimsPrincipal(id);

        SetCustomPrincipalClaims(userService, ref principal);

        return principal;
    }        

    private void EstablishSession(ClaimsPrincipal principal)
    {
        if (HttpContext.Current != null)
        {
            var sessionToken = new SessionSecurityToken(principal);
            FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
        }
    }
}

Then here is the configuration

<?xml version="1.0" encoding="utf-8"?>
<system.identityModel>
  <identityConfiguration>
    <claimsAuthenticationManager type="Barbarella.Core.Common.Security.ClaimsTransformer, Barbarella.Core" />
  </identityConfiguration>
</system.identityModel>

And this...

    <system.identityModel.services>
  <federationConfiguration>
    <cookieHandler mode="Default" requireSsl="false" />
  </federationConfiguration>
</system.identityModel.services>

And this...

<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
  <add name="ClaimsTransformationModule" type="Barbarella.Core.Common.Security.ClaimsTransformationHttpModule, Barbarella.Core" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />

</modules>

Dont forget to add your configuration sections

    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />

Here is my code for the ApplicationIdentity (overrides ClaimsIDentity)... This is the code that answers your question really...

 public sealed partial class ApplicationIdentity : ClaimsIdentity
{
    partial void SetCustomIdentityClaims(User user);

    private readonly User _user;

    public ApplicationIdentity(User user) : base("Application")
    {
        _user = user;
        AddClaim(new Claim(ClaimTypes.Name, user.Username));     
        AddClaim(new Claim(ApplicationClaimTypes.UserId, user.Id.ToString(CultureInfo.InvariantCulture)));
        AddClaim(new Claim(ApplicationClaimTypes.FirstName, user.FirstName));
        AddClaim(new Claim(ApplicationClaimTypes.LastName, user.LastName));
        AddClaim(new Claim("Time", DateTime.Now.ToString()));

        SetCustomIdentityClaims(_user);
    }

    public User User
    {
        get { return _user; }
    }

    public int UserId
    {
        get { return int.Parse(FindFirst(ApplicationClaimTypes.UserId).Value); }
    }

    public string Username
    {
        get { return FindFirst(ClaimTypes.Name).Value; }
    }

}