Asp.net identity - How to maintain logged in user role?

0
votes

I m using Angularjs project and using Asp.net identity custom storage provider with Enterprise library for token authentication.

Implemented custom userstore to create an account.

[Authorize] attribute works well after logged in. i want to restrict the method for particular user.

So tried to implement [Authorize(Roles="Admin,User")].

Here one user can have two roles in practical. But as per the system, when user login, we restrict the user to select the particular role.

So, after validated by asp.net identity, user should select any one of the role.

Here my need is,

I want to maintain the role which he selected (we consider this concept like impersonate user, but not exactly).

Or,

Need to implement in the Authorize attribute itself.

I've seen some of the examples like we can add claim to identity.

But I can add custom claims only inside the method,

GenerateUserIdentityAsync

in my case I need to add claim after log in validated. I've gone through some example and implemented like following.

 ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim(ClaimTypes.Role, "Test"));

After added claim, when I try to get the claim to check the logged in user role,

 List<Claim> claim = claims.Where(c => c.Type == ClaimTypes.Role).ToList();

I didn't get the Role "Test".

Here my bad luck is, in claims, I've all the roles of the user except role = test

How to authorize the user role or maintain logged in here..

1
c#asp.netangularjsasp.net-identityidentity
Can you mention the reason for down vote? - Jeeva J
What have you tried so far? You can make perfect use of the claim based authentication mechanisms here. - TGlatzer
Actually I did authorize based on the role. But sometime user has more than one role. I want to allow user with the one role to the system. He will be asked to select the role before enter into the application. In that case, I need the solution for that. - Jeeva J
I've added current user role in the like userIdentity.AddClaim(new Claim(ClaimTypes.Role, "Jeeva"));. I could get that detail in the methods. Is that ok to validate in the web api actions to know the current logged in user role? - Jeeva J
Is there any tutorial to implement impersonate in asp.net web api with identity? - Jeeva J

1 Answers

2
votes

I see at least three solutions for your problem:

  1. Use a claim transformation to filter the role claims, to match a role the user choose. You can use a claim transformation middleware or you can filter the claims during login (be aware, that you do not know the user roles BEFORE login, and afterwards filtering might be too late). PRO Does not necessarily need session state; CON User can not choose during runtime.

  2. Store the role in the session and authenticate against that role. Make sure, that you check against the role claims, when the user chooses his role. PRO User might change role without re-sign-in. CON Needs session state (Might be an issue in farm environments).

  3. Don't do it at all and I'm totally serious about that. Provide your user a clean interface, that makes him know, what role he has and use areas and other technics to separate the concerns.