Persisting new claims across requests

2
votes

How do I add the new claims in such a way that they persist through requests until the cookie expires?

I am using OWIN middle ware, on-premises authentication to authenticate the users logging into the system.

The sign-in part is successful, and I added Roles to the user claims provided by the ws-federation to help authorize the user for certain action methods. At the time of login, in the controller, I have written the following to add the roles:

string[] roles = { "Role1", "Role2" };

var identity = new ClaimsIdentity(User.Identity);
foreach (var role in roles)
{
    identity.AddClaim(new Claim(ClaimTypes.Role, role));
}

var authenticationManager = HttpContext.GetOwinContext().Authentication;

authenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant
                             (new ClaimsPrincipal(identity),
                              new AuthenticationProperties { IsPersistent = true });

But when I check the claims at the next request, I don't see the role claims.

3
c#.netowinclaims-based-identityws-federation

3 Answers

1
votes

After successful authentication I believe you added custom claims (normally to some event handler once successfully authenticated). Now in order to persist that information in subsequent request you need to use CookieAuthentication middle ware before your authentication owin in pipeline.

How it works :

Upon successful authentication first time and addition of custom claims, claims will be transformed into sort of auth cookie and sent back to client. Subsequent request will carry this auth cookie. CookieAuthentication middle ware on finding auth cookie will set your Thread.CurrentPriciple with claims obtained from cookie.

During first time request when cookie middle ware does see any auth cookie, it passes request to next middle ware in pipe line (Authentication owin in your case) to challenge user for login.

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {

                AuthenticationType = "Cookies",
                AuthenticationMode= AuthenticationMode.Active,
                CookieName="XXXXX",
                CookieDomain= _cookiedomain,
                /* you can go with default cookie encryption also */
                TicketDataFormat = new TicketDataFormat(_x509DataProtector),
                SlidingExpiration = true,
                CookieSecure = CookieSecureOption.Always,
            });


app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {

                ClientId = _clientID,
                Authority = _authority,
                RedirectUri = _redirectUri,
                UseTokenLifetime = false,

                Notifications = new OpenIdConnectAuthenticationNotifications
                {

                    SecurityTokenValidated = SecurityTokenValidated,

                    AuthenticationFailed = (context) =>
                    {
                        /* your logic to handle failure*/
                    }
                },

                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
                {
                    ValidIssuers = _validIssuers,
                    ValidateIssuer = _isValidIssuers,
                }
            });

EDIT: (Additional information)
Pretty much the exact code as above works for ws federation also, with the same logic and everything.

SecurityTokenValidated = notification =>
{
    ClaimsIdentity identity = notification.AuthenticationTicket.Identity;
    string[] roles = { "Role1", "Role2" };
    foreach (var role in roles)
    {
        identity.AddClaim(new Claim(ClaimTypes.Role, role));
    }
    return Task.FromResult(0);
}
0
votes

You need to use the same AuthenticationType that you used in Startup.ConfigureAuth. For example:

In Startup.ConfigureAuth:

app.UseCookieAuthentication(new CookieAuthenticationOptions {
  AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
  //....
});

And in your login code (provided in the question):

var identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

Or make sure that the User.Identity has the same AuthenticationType, and you're good to use that like you did:

var identity = new ClaimsIdentity(User.Identity);

Now the important part is that for the login, you should add the claims before singing the use in, not after. Something like this:

HttpContext.GetOwinContext().Authentication.SignIn(identity);

You can add the claims after signing in, but you will be modifying the cookie right after it is created, which is not efficient. If in some other code you need to modify the claims, then you can use something similar to your code, but you must get the context from Current:

HttpContext.Current.GetOwinContext().Authentication.AuthenticationResponseGrant =
    new AuthenticationResponseGrant(new ClaimsPrincipal(identity),
                                    new AuthenticationProperties { IsPersistent = true });

So you can fix your code by simply adding Current like above, but that's not efficient for the login code and it is better to pass the claims to the SignIn function.

0
votes

you can do the following in WEB API C # (SOAP),(STORED PROCEDURES)

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
        LoginModel model = new LoginModel();
        //validate user credentials and obtain user roles (return List Roles) 
        //validar las credenciales de usuario y obtener roles de usuario
        var user = model.User = _serviceUsuario.ObtenerUsuario(context.UserName, context.Password);
        if (user == null)
        {
            context.SetError("invalid_grant", "El nombre de usuario o la contraseƱa no son correctos.cod 01");
            return;
        }

        var stringRoles = user.Roles.Replace(" ", "");//It depends on how you bring them from your DB
        string[] roles = stringRoles.Split(',');//It depends on how you bring them from your DB

        var identity = new ClaimsIdentity(context.Options.AuthenticationType);          
        foreach(var Rol in roles)
        {
            identity.AddClaim(new Claim(ClaimTypes.Role, Rol));
        }
        identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
        identity.AddClaim(new Claim(ClaimTypes.Email, user.Correo));
        identity.AddClaim(new Claim(ClaimTypes.MobilePhone, user.Celular));
        identity.AddClaim(new Claim("FullName", user.FullName));//new ClaimTypes
        identity.AddClaim(new Claim("Empresa", user.Empresa));//new ClaimTypes
        identity.AddClaim(new Claim("ConnectionStringsName", user.ConnectionStringsName));//new ClaimTypes
//add user information for the client
        var properties = new AuthenticationProperties(new Dictionary<string, string>
        {
            { "userName",user.NombreUsuario },
            { "FullName",user.FullName },
            { "EmpresaName",user.Empresa }
        });
//end
        var ticket = new AuthenticationTicket(identity, properties);
       context.Validated(ticket);
    }