How to overwrite openid connect claims

0
votes

I have an ASP.NET MVC framework web application. I want to use both .net identity and OpenId Connect for authentication (Microsoft accounts).

It works and redirects to another controller as I want. In this target controller I get information from the claims (which are returned from Azure AD).

What I want is to add more claims to this collection from Azure, or create a new set of claims as I want. I set claims as following but when debugger hits to another controller I see default claims returned by Azure AD only; my modifications are not reflected in the claims collection.

How can I add claims which is usable for both OpenId Connect (Microsoft) and .NET identity authentication?

This is how I set example claims in the controller:

var identity = new ClaimsIdentity("ApplicationCookie", ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
identity.AddClaim(new Claim("test", "test"));

IAuthenticationManager authenticationManager = HttpContext.GetOwinContext().Authentication;
authenticationManager.SignOut("ApplicationCookie");
authenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = true }, identity);

This is how I configured in Startup:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            // Sets the ClientId, authority, RedirectUri as obtained from web.config
            ClientId = clientId,
            Authority = authority,
            // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
            PostLogoutRedirectUri = redirectUri,
            Scope = OpenIdConnectScope.OpenIdProfile,
            // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
            ResponseType = OpenIdConnectResponseType.CodeIdToken,
            AuthenticationMode = AuthenticationMode.Passive,
            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                AuthenticationFailed = OnAuthenticationFailed
            },
            TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
            {
                RoleClaimType = System.Security.Claims.ClaimTypes.Role,
                ValidateIssuer = false
            }
        });
1
c#asp.net-mvcasp.net-identityopenid-connect
Do I understand that in your application you want to add claims to any claims returned in the ID token from Azure AD? If so, this is not the right way - claims are asserted by the authorization server, the authorization server assures you and other recipients of the token, that it has authenticated the user and validated the claims. In your application you can add more information about the user, but not modify the claims from the AS. Also, I see that you've disabled issuer validation in the code - this is not secure. You should always validate the issuer of your tokens.Michal Trojanowski

1 Answers

0
votes

You have two options. Either hook into the various events provided by AddCookie and AddOpenIDConnect. Or add a custom claims transformation, like:

public class BonusLevelClaimTransformation : IClaimsTransformation
{
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        if (!principal.HasClaim(c => c.Type == "bonuslevel"))
        {
            //Lookup bonus level.....
            principal.Identities.First().AddClaim(new Claim("bonuslevel", "12345"));
        }
        return Task.FromResult(principal);
    }
}

You also need to register it in Startup.cs like

services.AddTransient<IClaimsTransformation, BonusLevelClaimTransformation>();