Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I invalidate claims using ASP.NET Identity?

I just upgraded some of my applications to ASP.NET MVC 5. I've been using ASP.NET Membership for ages and was exploring the possibility of switching to ASP.NET Identity.

I'm building a little test application and I've got authentication working (against active directory and a custom SQL Server schema depending on the user) and even authorization by adding role claims to the ClaimsIdentity before signing the user in (apparently the out of the box Authorize attribute will actually go against any claim information provided).

It's cool that the claims are stored in the authentication cookie by default. However, that poses a problem when information about the user has changed (i.e. they are added or removed from a role).

Obviously I can roll my own Authorize attribute as I've always done before. If I do this I would just skip the claims all together and simply check the roles in the database per request.

Is there any way to use claims in ASP.NET Identity and know when they are no longer valid? Does the framework provide any options to solve this?

like image 904
Justin Helgerson Avatar asked Feb 12 '14 22:02

Justin Helgerson


1 Answers

You probably want to take a look at this question/answer for how this can be taken care of automatically:

What is the SecurityStamp used for?

like image 159
Hao Kung Avatar answered Sep 22 '22 21:09

Hao Kung