I am introducing SSO to a legacy application. One existing functionality that I need to manage is to check if a user can access the application after they have signed in. Previously, if they logged in, their account would be checked against a db table and they would be logged out of the system with a message saying they had to contact support if their access was denied. I am looking for the same functionality if possible on new SSO login. So, a snippet of the code below. Any suggestions would be appreciated.
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = (context) =>
{
ClaimsIdentity identity = context.AuthenticationTicket.Identity;
// check the database if the user is locked from accessing the system
var userEmail = identity.FindFirst("preferred_username").Value;
var currentUser = UsersTable.Where(user => user.Email == userEmail);
if (currentUser != null )
{
if (currentUser.AccessLocked)
{
at this point I need to prevent the user for using the system. My preferred option would be to
Force logout, and redirect back to the login page, with a message saying that user access is locked
The other option
// 2 - Add Roles on each of the controller (IsActive) and add a Claim Role Type for a user who does have access
identity.AddClaim(new Claim(ClaimTypes.Role, "IsActive"));
I have tried this, but I get stuck in a authorisation loop when the user doesn not have the Role
}
}
}
}
