Update logged Identity claims when add new claims - asp.net-core

I have a .net core web api application with angular. I use AspNetCore Identity. I have a claim table with userId and value colums. The createnewuser method call from angular site, and they call to register user method. There no any problem here.
I wanna add new claim into httpcontext current user claims list.
I'd tried but it is not help me.
Added a claim to an existing HttpContext User
But I can see added new claim into _httpContext.HttpContext.User.Claims when re-authenticate with new token. How can I see add new claim into current identity (_httpContext.HttpContext.User.Claims)?
And I got current user Id value from httpontext.
var parentId = _httpContext.HttpContext.User.Claims?.FirstOrDefault(p => p.Type == "uid");
if (parentId != null && parentId.Value != null)
{
await _IdentityService.AddClaimAsync(new RegisterRequest()
{
"newclaim" = "new-claim-key",
userId = parentId.Value
});

I think best wasy get claims from db who logged used like that:
var claimList = userManager.
GetClaimsAsync(await_userManager.GetUserAsync(_httpContext.HttpContext.User))
Although this is not a very accurate method, it is the most reliable method. This way you can get the latest claim list in db

Related

.net core 3.1 & identity issue (claims nameidentifier has an id that doesn't match any user, while claims name is right)

I'm having an issue in an area of my website where i need to retrieve the user Id, i tried both by using the HttpContext.User and the injected IHttpContextAccessor, both give me an id that 1) doesn't match the user and 2) doesn't even exist in my database!
I also tried injecting a UserManager and calling GetUserId on it and that too gives me the wrong id (once again, no clue where from, it's not in the database). Calling GetUserAsync on it returns null.
I'm not using anything special nor fancy, the default page included with idendity core to log in, just a context that inherits from IdentityDbContext, and the login part works just fine as those pages are behind an Authorize tag and do force me to log in. If i was getting an error to begin with i could dig but i'm just getting an Id that seems to come from nowhere and am at a loss at where to look.
Here's what the claims look like when calling
HttpContext.User.Claims.ToList()
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: f478bf7a-1734-494c-aad6-0882ab24007f} <-- this id is not present in AspNetUsers table
[1]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: EDITED OUT FOR PRIVACY} <-- my correct username (my email)
[2]: {AspNet.Identity.SecurityStamp: EDITED OUT}
[3]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Administrator} <-- correctly finds my role too
You can use the following code to get the UserId
using System.Security.Claims;
using Microsoft.AspNetCore.Identity;
var claimsIdentity = (ClaimsIdentity)this.User.Identity;
var claim = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier);
var userId = claim.Value;
I had that problem for using this in ExternalLoginCallback:
var user = new SmileAppUser { UserName = email, Email = email };
await _signInManager.SignInAsync(user, isPersistent: false);
Try to retrieve the user from the database to include the id in the claims with SignInAsync.

Adding and accessing claims in asp net core 3.0 using built in Identity server

I'm currently failing at wrapping my head around claims. I have a ASP.Net Core 3 project with the angular template and users stored in app.
I want to add claims to my users, reading up on I thought it would be easy, just add something along the lines of
await _UserManager.AddClaimAsync(user, new Claim(AccountStatic.ClaimTypes._Claim_Id, user.Id));
When you create the user, and then get it back using the below line once they are logged in again:
User.FindFirst(AccountStatic.ClaimTypes._Claim_Id)?.Value;
This does however not work. I can see the claims being written to AspNetUserClaims table in my database but it's not there in the users claims when they log in. There are a few other claims there, but not the ones I have added.
Do I need to define somewhere which of the users claims get included when they log in?
Edit.
I found a post stating that I need to add claims using a DI AddClaimsPrincipalFactory. So I added this class.
public class UserClaimsPrincipalFactory : UserClaimsPrincipalFactory<ApplicationUser>
{
public UserClaimsPrincipalFactory(UserManager<ApplicationUser> userManager,IOptions<IdentityOptions> optionsAccessor): base(userManager, optionsAccessor)
{}
//https://levelup.gitconnected.com/add-extra-user-claims-in-asp-net-core-web-applications-1f28c98c9ec6
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(ApplicationUser user)
{
var identity = await base.GenerateClaimsAsync(user);
identity.AddClaim(new Claim(AccountStatic.ClaimTypes.Claim_Id, user.Id ?? "[no id]"));
return identity;
}
}
And if I step through the code I can see the claims being added here. But in the Controller my custom claims are not present.
internal string GetUserId()
{
if (User.Identity.IsAuthenticated == false)
return null;
return User.FindFirst(AccountStatic.ClaimTypes.Claim_Id)?.Value;
}
Update. Ok I find this very strange. I have been trying to do what others claim work but for me nothing gets me the users name or id. inspecting the User I get the following. Nothing here contains any reference to the logged in user.
Update 2:
Just noticed that there is actually an Id in there: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: ed107a11-6c62-496b-901e-ed9e6497662a} Seems to be the users id from the database. Not sure how to access it yet though.
These return null.
User.FindFirst(JwtRegisteredClaimNames.NameId)?.Value;
User.FindFirst("nameidentifier")?.Value;
User.FindFirst("NameIdentifier")?.Value;
Another update
I'm using a UserClaimsPrincipalFactory and breakingpointing it and looking at the Claims I can see that all of the ones I want are there. But again, these are not available in my API controllers as seen in the first picture.
I finally understood the problem, in large parts thanks to Ruard van Elburgs comments, and the answer he made in the linked question IdentityServer4 Role Based Authorization.
The problem is that the claims are not added to the access token.
There are two tokens, the access token and the identity token.
- Ruard van Elburg
They key to understanding what was going on was finding out that there are two tokens, and that they contain different claims and have different purposes.
You can force claims from one token to also be included in the other if you deem it necessary.
The solution to my problem was to add this in Startup.ConfigureServices
services
.AddIdentityServer(options => {})
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
{
foreach (var c in options.ApiResources)
{
// the string name of the token I want to include
c.UserClaims.Add(AccountStatic.ClaimTypes.Claim_Id);
}
});
I still have not figured out how to get the Identity token, but as I'm now including the user Id in the access token my problems are solved for the moment.

Get User Info From Access Token WebApi Asp.net Core

I'm using the new ASP.NET Core Identity API Authorization found in dotnet-core3-preview, the docs are found here https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.0
I'm succesfully running the typical login process, and the token are set and sent in the Bearer token. However rightnow I have an api end point that should return some user details from the database, so I'm trying to extract the user id from the token to query the database.
Yet, I'm not able to find the id in any of the claims, as per my screenshot below, how can I accomplish this?
[HttpGet]
[Authorize]
public async Task<IActionResult> GetUserByToken(){
var ls = User.Claims.AsQueryable();
return Ok(ls);
}
The user id could be find in claim : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier :
var userID = User.Claims.Where(a => a.Type == ClaimTypes.NameIdentifier).FirstOrDefault().Value;
That id value equals Id column in AspNetUsers table which created by ASP.NET Identity .
I prefer using this instead which is shorter:
var userId = User.FindFirst(ClaimTypes.NameIdentifier).Value

MVC Custom Authorize Attribute

I have a method as below
[Authorize]
public async Task<IActionResult> Edit(int? id)
{
if (id == null) return NotFound();
//EF bug workaround
var activities = (await _context.Activities.AsNoTracking().ProjectTo<ProgramActivityViewModel>()
.Where(m => m.Id == id).ToListAsync()).SingleOrDefault();
if (activities == null) return NotFound();
if (activities.ActivityCoverageArea.Any())
activities.PhysicalLocation = activities.ActivityPhysicalLocation != null;
PopulateActivitiesModel(activities);
return View(activities);
}
when user hits this method in browser URL he see this link.
http://localhost:52580/Activity/Activity/Edit/117
my issue if user manually enters id 125 instead of 117 in browser, he can see data that is not related to him. i mean he can see his peer's data who is at same level , might be reporting to different manager.
how can I restrict user from doing this??
the Id being passed is Activity id not UserId, a user can have multiple activityId's. issue is , she should not see activity of other users.
You need to get the userId of the current logged in user and test that against your data.
If the data does not belong to the current user then you just need to return a 403 or custom error page.
If you are using the newer built in MVC authentication system then it should be as simple as:
User.Identity.GetUserId();
If you have this kind of issue all throughout your code then I suggest having the userId stored in a base controller or in a viewstate that you can easily access without having to hit your database with an extra request every time.

In JWT Authorization, check if user has role Admin

I am working on a .Net Core API, and inside my Controller, I have the following code:
if (User.Identity.IsAuthenticated)
{
var username = HttpContext.User.FindFirstValue(ClaimTypes.NameIdentifier);
var user = await _userManager.FindByNameAsync(username);
artistCardDtoCollection = _artistsService.GetAllArtists(user.Id, User.IsInRole("Admin"));
}
The code above is because I wish to pass the User.Id (if logged in) and a IsAdmin flag to my GetAllArtists method.
The code above is failing on User.IsInRole("Admin"). I get a false when I know 100% that the user in question is an Admin. I've double checked the database via SQL Management Studio.
This makes me think one can't use User.IsInRole() when working with JWT. If that is the case, then what is the correct way? Thanks
Probably it could be the caching issue with User.IsInRole(), if we check documentation we will find:
IsInRole first checks the IsRoleListCached property to determine
whether a cached list of role names for the current user is available.
If the IsRoleListCached property is true, the cached list is checked
for the specified role. If the IsInRole method finds the specified
role in the cached list, it returns true. If IsInRole does not find
the specified role, it calls the GetRolesForUser method of the default
Provider instance to determine whether the user name is associated
with a role from the data source for the configured ApplicationName
value.
In your case you can try to use GetRolesAsync like below:
var user = await _userManager.FindByNameAsync(username);
var roles = await _userManager.GetRolesAsync(user);
artistCardDtoCollection = _artistsService.GetAllArtists(user.Id, roles.Contains("Admin"));