it seems like User.Identity is not persistent and only valid in one HttpContext, so when the application site redirect to another page (example from "/" to "/events") the User.Identity is lost and i need to recreate it or access from session/cookie.
However im kind of new to ASP.NET MVC, so i have no idea how to pass ClaimsIdentity across sessions, i used OpenId connection with 3rd party provider, and i created/set the ClaimsPrincipal mysel.
Any suggestion how to do this?
Related
I have an ASP.NET Core MVC application in the front-end and I have a back-end service which is built with ServiceStack. This service has BasicAuth, which requires to send encrypted username+password and if successful it returns the sessionId.
After the authentication this service requires a cookie with the name ss-id and the value of sessionId in order to authorize any further requests. In my application I have a service which is injected into the controllers, I add this service to the service container like this:
services.AddHttpClient<IMyService,MyService>();
Now my problem is that when I add the SessionId as a cookie to the HttpClient, after a few requests the application creates a new instance of it and my cookie is deleted.
I've been trying to solve this for weeks, I've searched everywhere and couldn't find any solution! Please help!
I can save the SessionId into the browser cookies and then manually add it to all HttpClients in my service, but I don't think it's right... I think that somehow in serviceContainer with AddAuthentication or AddAuthorization or AddHttpClient, it should be set up... And when user authenticates it should add this cookie to every request automatically.
I have a legacy ASP.NET site that needs to be ported to ASP.NET Core due to server migration. The app is an ASP.NET MVC site using cookie login and auth. There is also a legacy query param login, where all pages accept ?u=<user>&p=<pwd>.
I tried adding an AuthenticationHandler, but Cookie authN only forward to login page instead of allowing the second Scheme handler to try authN. There is no OnAuthorization to override in Controller anymore (all app controllers have the same base class).
I also need Cookie login to be valid after first request (only this request have the query params). Following requests should use cookie for login.
What is the correct (recommended) way to implement this "query login" in ASP.NET core?
How can I hook into Cookie AuthN failure (no cookie), check query params, provide principal/identity and do cookie login (HttpContext.SignInAsync).
Is there any documentation for ASP.NET core about how AuthN and AuthZ interact and the different steps the middleware go through for Auth?
I am using JSON Web Token (Bearer) as my default Authentication. I'm then using (Cookies) as my Authentication for Google.
I am using the default Google Authentication in Asp.Net Core API to get the AccessToken. I then pass that AccessToken to my Angular application in the Url, using a redirect. This is similar to how the ASP.Net MVC 5 Web API works. From there, I'm making a call back to my Asp.Net Core API to try and get the remaining claims. I'm making the call using the AccessToken.
Does anyone know how to access the external claims using the Google AccessToken? I know how to do this in the Asp.Net MVC 5 Web API, but Asp.Net Core is much different.
I can see external claims here. This happens during the OAuth process after the User Authenticates with Google. This is in my ExternalLoginCallback method.
var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
Here is some information that seems to be useful, but it doesn't specifically address third party Auth.
https://learn.microsoft.com/en-us/aspnet/core/migration/claimsprincipal-current?view=aspnetcore-2.2
If I call the API using the AccecssToken, in the header, and use HttpContext.AuthenticateAsync like so....
var result = await HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
I get this.
{System.Exception: No SecurityTokenValidator available for token: ya29.Glt5B_thgPhe8-FcR
Thanks in advance! Any help is much appreciated.
Here is what I ended up doing. Since I'm able to get the claims from the Cookie in my ExternalLoginCallback method, I went ahead and created a new JSON Web Token (JWT), added the extracted claims to it and then passed that over to my Angular application. Now, when I make the call back to my API, I'm able to read that Token and extract the claims using this line of code in my GetUserInfo method.
HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
Bottom line, since I could not read the Google AccessToken like I could in my ASP.Net MVC 5 Web API, I just went ahead and created a new JWT Token, added in the claims and used that.
By the way, I'm having to do all of this because I can not call my ExternalLogin method directly from Angular because of a known Cors policy issue.
I'm building a ASP.NET Core 2.1 web app. I am not using Identity. I am using CookieAuthentication.
Instead, I sign-in the user using HttContext.SignInAsync:
_httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, myGeneratedClaimsPrincipal)
When something in the principal changes, I have to sign-out and sign-in to refresh the principal.
In there a way I can refresh the principal without sign-out/sign-in?
I am storing the user selected culture into the user claims and i have a custom RequestCultureProvider that reads this value and set the request culture accordingly.
The application will have a profile page where the user can change his preferences (culture included). After save the data to the database I need to silently re-signin the user in order to update his claims.
Additional info:
I'm using IdentityServer4 with AspNet Core 2.0 and Asp.Net Identity
I'm loading the culture to the claims in the OnTokenValidated event (client apps). It can also be done in the GetProfileDataAsync (IProfileService) or UserClaimsPrincipalFactory (ASP.NET Core Identity)
The system is composed by 3 web apps (Idsv4 + app1 + app2). The profile pages are implemented in the app applications.
With a single web app configured with Asp.NET Identity you can use the method RefreshSignInAsync from the SignInManager to regenerates the user's application cookie, however I need to trigger this process from the client apps (app1 & app2), so no access to SignInManager.
I tried to use HttpContext.Authentication.ChallengeAsync("oidc") HttpContext.Authentication.SignInAsync and apparently the authenticate endpoint is invoked however I cannot handle the response and it generates a infinite loop in the MVC action where I'm invoking this code.
So, how can I achieve the silently re-signing with Idsrv4?