How can I add claims after token validation? (i.e. in a controller)
In my app users authenticate with Azure B2C, but I want roles (or claim authorization) to be based on what a user selects after they log in...
I know I can add claims inside OnTokenValidated, but I want to do this after the user goes to a page and makes a selection.
As far as I know, it's impossible. The asp.net core authentication will generate the claim based on the token. If you add the claims in the controller but not update the token, that means the claim will not add into the token.
Next time, when the user login in, the claim is as same as the previous one. The token will not be modified.
Since you are using Azure B2C, that means we couldn't modify the token on the server.
Related
My express.js backend has an endpoint which returns a list of what data the user is authorized to view. There are Auth0 roles corresponding to which segments of this data any given user is allowed to read. A user may have any number of these roles. However, when I tried to add role-based permissions to this endpoint, I realized that the Auth0 recommended middleware express-jwt-authz perhaps doesn't do what I intend: it simply authorizes/rejects based on the roles in the JWT. This endpoint only requires a user's session authorization, not the user's roles.
I want the endpoint to change its responses based on which Auth0 roles are associated with a user. The only solution I can think of is adding a row to my own database (which is not connected with Auth0) where I keep track of each user by the JWT sub property, and manage their roles/permissions from my backend. However, this seems like it would split roles between Auth0 and my application's database, and furthermore feels one step closer to rolling my own authentication system, which I do not want right now. Is there a way I can do this with Auth0 and express.js?
I was able to work around this by selecting "Add Permissions in the Access Token" in Auth0 in Applications > APIs > [my API] > Settings. Then I could view the permissions passed into req.user.permissions on my backend, and process them how I wanted there.
I have an ASP .NET MVC project using Azure Active Directory for Authentication and I would like to store information in the claims (ClaimsIdentity) like a custom UserId.
I would then want to retrieve the custom UserId from the claims to check if user is authorized to access some page.
Where are these custom claims being stored? Would the user be able to modify the values in the claims?
It is common in most back end apps to need to use tokens from multiple places:
OAuth token claims
Product claims
In MVC there is usually an OnTokenValidated method you can override to customise the claims identity with product claims, as in this article.
The custom claims are then carried around in an HTTP only / encrypted authentication cookie.
I have couple of applications. I will call them application-1 and application-2 in the question. My applications use asp.net core 2.2.
I register user using B2C custom policies like in this example
Azure B2C custom policies . I've added a REST API claim exchange to get user groups from the B2C. Just like this example. I retrieve the user groups in an azure function by calling memberOf in graph api.
When user completes the registration and enters first time in the system,they are redirected to application-1. They don't have any groups assigned to them in B2C. Then in the application-1 they have option to select which group they want to join. Once they select which group they want to join, I update the B2C.
If I use refresh token provided in the documentation located at Microsoft B2C reference OAuth and access id_token from the response I don't find groups in the claims. I decoded the token for which I have used SecurityTokenHandler class.
Also My application-1 has a link to application-2 which is also part of this B2C single sign on. When user clicks the link in application-1 they are redirected into application-2 . But the id_token doesn't find latest group information which user had assigned to themselves in the application-1.
Is there anyway to make sure the id_token carries latest group information in claims?
I'm still trying to understand B2C / Single sign . Please fill free to correct my terminologies if I've used wrong terms.
I have users that're part of Roles which have Claims specified for them. I authenticate my users using IdentityServer (version 3 at the moment) with IncludeAllClaimsForUser set to true. I expected IdentityServer to automatically retrieve Role Claims but it doesn't.
Is there a way to make IdentityServer care about Role Claims or is customizing through ProfileServer is the only way to go?
if you need user information you have to use userinfo endpoint or while making a request for token add the scope that is related to user claim.
Situation
Let's say an administrator of a site removes a user from the Admin role and adds her to the Contributor role. According to the site's database, that user has been demoted and should no longer have access to Admin-only features. Now the user comes back to the site some time after that change, but had logged in sometime before the change and is still logged in. So long as that user does not log out, she will continue to have claims that say she is in the Admin role. If she logs out, or gets logged out, she loses the claim that she belongs to the Admin role and when she signs back in receives the new claim of belonging to the Contributor role.
Desire
What I would like to happen, perhaps the next time the user requests a page from the site after the administrator made the change, is have that user transparently lose the Admin role claim and gain the Contributor role claim without them having to sign out or do anything special. In fact, I would prefer they are unaware of the change, except that her menu has changed a little because she can no longer perform Admin-only activities.
How would you handle this situation in a way that is invisible to the affected user?
My thoughts
I am using ASP.NET MVC 5 and ASP.NET Identity, but it seems like a solution to this could be easily generalized to other claims based frameworks that utilize cookies. I believe that ASP.NET Identity stores claims in the user's cookies by default in MVC 5 apps.
I have read the following post along with many others on SO and it comes closest to answering this question but it only addresses the case where the user updates herself, not when someone else like an administrator makes the change to her account: MVC 5 current claims autorization and updating claims
There is a feature in Identity 2.0 which addresses this, basically you will be able to do something like this which adds validation at the cookie layer which will reject users who's credentials have changed so they are forced to relogin/get a new cookie. Removing a role should trigger this validation (note that it only does this validation check after the validationInterval has passed, so the cookie will still be valid for that smaller timespan.
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider {
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});