Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set Claims from ASP.Net OpenID Connect OWIN components?

I have questions upon using the new ASP.Net OpenID Connect framework while adding new Claims during the authentication pipeline as shown in the code below. I'm not sure just how much 'magic' is happening behind the scenes. I think most of my questions center around not knowing much about OWIN authentication middleware as opposed to OpenID Connect.

Q1. Should I be manually setting HttpContext.Current.User and Thread.CurrentPrincipal from OwinContext.Authentication.User?

Q2. I want the ability to add object types to claims like I used to with System.IdentityModel.Claims.Claim. The new System.Security.Claims.Claim class only accepts string values?

Q3. Do I need to use the new SessionSecurityToken wrapper for my ClaimsPrincipal in System.Security.Claims.CurrentPrincipal for serializing into a cookie - I am using app.UseCookieAuthentication(new CookieAuthenticationOptions()); but now sure what that does exactly in terms of maintaining any additional claims I added during SecurityTokenValidated event?

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    SecurityTokenValidated = (context) =>
                    {
                        // retriever caller data from the incoming principal
                        var UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value;
                        var db = new SOSBIADPEntities();

                        var user = db.DomainUser.FirstOrDefault(b => (b.EntityName == UPN));

                        if (user == null)
                        {
                            // the caller was not a registered user - throw to block the authentication flow
                            throw new SecurityTokenValidationException();
                        }

                        var applicationUserIdentity = new ClaimsIdentity();
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Name, UPN, ""));
                        applicationUserIdentity.AddClaim(new Claim(ClaimTypes.Sid, user.ID.ToString(CultureInfo.InvariantCulture)));


                        var applications =
                            db.ApplicationUser
                            .Where(x => x.ApplicationChild != null && x.DomainUser.ID == user.ID)
                            .Select(x => x.ApplicationChild).OrderBy(x => x.SortOrder);

                        applications.ForEach(x =>
                            applicationUserIdentity.AddClaim(new Claim(ClaimTypes.System, x.ID.ToString(CultureInfo.InvariantCulture))));

                        context.OwinContext.Authentication.User.AddIdentity(applicationUserIdentity);

                        var hasOutlook = context.OwinContext.Authentication.User.HasClaim(ClaimTypes.System, "1");

                        hasOutlook = hasOutlook;

                        HttpContext.Current.User = context.OwinContext.Authentication.User;
                        Thread.CurrentPrincipal = context.OwinContext.Authentication.User;

                        var usr = HttpContext.Current.User;

                        var c =  System.Security.Claims.ClaimsPrincipal.Current.Claims.Count();


                        return Task.FromResult(0);
                    },
                }
            }
        );
    }
like image 278
puri Avatar asked Nov 28 '14 22:11

puri


People also ask

What is claim in OWIN?

Claims Based Identity Support with Microsoft OWIN Components Security is extended to include the base classes to be used for implementing standard web sign in protocols such as OpenID or WS-Federation. Finally therefore a new component Microsoft. Owin. Security.

How do I apply a claim in .NET core?

Claim based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying claims which the current user must possess, and optionally the value the claim must hold to access the requested resource.


1 Answers

Is there a specific reason for which you are adding a new ClaimsIdentity?

The simplest way of doing what you are aiming at is to retrieve the ClaimsIdentity that was generated by validating the incoming token, via ClaimsIdentity claimsId = context.AuthenticationTicket.Identity; once you have it, just add claims to it. The rest of the middleware will take care of serializing it in the session cookie along with everything else, place the result in the current ClaimsPrincipal, and all those other things you appear to be trying to do manually.
HTH
V.

like image 53
vibronet Avatar answered Sep 17 '22 23:09

vibronet