I have users that're part of Roles which have Claims specified for them. I authenticate my users using IdentityServer (version 3 at the moment) with IncludeAllClaimsForUser set to true. I expected IdentityServer to automatically retrieve Role Claims but it doesn't.
Is there a way to make IdentityServer care about Role Claims or is customizing through ProfileServer is the only way to go?
if you need user information you have to use userinfo endpoint or while making a request for token add the scope that is related to user claim.
Related
My express.js backend has an endpoint which returns a list of what data the user is authorized to view. There are Auth0 roles corresponding to which segments of this data any given user is allowed to read. A user may have any number of these roles. However, when I tried to add role-based permissions to this endpoint, I realized that the Auth0 recommended middleware express-jwt-authz perhaps doesn't do what I intend: it simply authorizes/rejects based on the roles in the JWT. This endpoint only requires a user's session authorization, not the user's roles.
I want the endpoint to change its responses based on which Auth0 roles are associated with a user. The only solution I can think of is adding a row to my own database (which is not connected with Auth0) where I keep track of each user by the JWT sub property, and manage their roles/permissions from my backend. However, this seems like it would split roles between Auth0 and my application's database, and furthermore feels one step closer to rolling my own authentication system, which I do not want right now. Is there a way I can do this with Auth0 and express.js?
I was able to work around this by selecting "Add Permissions in the Access Token" in Auth0 in Applications > APIs > [my API] > Settings. Then I could view the permissions passed into req.user.permissions on my backend, and process them how I wanted there.
How can I add claims after token validation? (i.e. in a controller)
In my app users authenticate with Azure B2C, but I want roles (or claim authorization) to be based on what a user selects after they log in...
I know I can add claims inside OnTokenValidated, but I want to do this after the user goes to a page and makes a selection.
As far as I know, it's impossible. The asp.net core authentication will generate the claim based on the token. If you add the claims in the controller but not update the token, that means the claim will not add into the token.
Next time, when the user login in, the claim is as same as the previous one. The token will not be modified.
Since you are using Azure B2C, that means we couldn't modify the token on the server.
I have an ASP .NET MVC project using Azure Active Directory for Authentication and I would like to store information in the claims (ClaimsIdentity) like a custom UserId.
I would then want to retrieve the custom UserId from the claims to check if user is authorized to access some page.
Where are these custom claims being stored? Would the user be able to modify the values in the claims?
It is common in most back end apps to need to use tokens from multiple places:
OAuth token claims
Product claims
In MVC there is usually an OnTokenValidated method you can override to customise the claims identity with product claims, as in this article.
The custom claims are then carried around in an HTTP only / encrypted authentication cookie.
I have couple of applications. I will call them application-1 and application-2 in the question. My applications use asp.net core 2.2.
I register user using B2C custom policies like in this example
Azure B2C custom policies . I've added a REST API claim exchange to get user groups from the B2C. Just like this example. I retrieve the user groups in an azure function by calling memberOf in graph api.
When user completes the registration and enters first time in the system,they are redirected to application-1. They don't have any groups assigned to them in B2C. Then in the application-1 they have option to select which group they want to join. Once they select which group they want to join, I update the B2C.
If I use refresh token provided in the documentation located at Microsoft B2C reference OAuth and access id_token from the response I don't find groups in the claims. I decoded the token for which I have used SecurityTokenHandler class.
Also My application-1 has a link to application-2 which is also part of this B2C single sign on. When user clicks the link in application-1 they are redirected into application-2 . But the id_token doesn't find latest group information which user had assigned to themselves in the application-1.
Is there anyway to make sure the id_token carries latest group information in claims?
I'm still trying to understand B2C / Single sign . Please fill free to correct my terminologies if I've used wrong terms.
I have an http endpoint /update-user-details that is authenticated by a JWT token.
There are two valid users in my system User1 and User2.
How do I restrict User1 from updating User2's details using the /update-user-details endpoint?
You have 3 options:
DIY: implement code yourself that will do it. That's what Chappie Johnson recommends in their response.
Externalize authorization logic: use an authorization framework to do the check for you. The way to externalize really depends on the framework you developed the API in. For instance, you could look into Flask Authorization for Python or Ruby CanCanCan or .NET claims.
Externalize authorization using a standard approach: Attribute-Based Access Control (ABAC) is actually what you are looking for. In ABAC you write policies that state what can and cannot happen. alfa and xacml are the two ways you can write policies. The good thing about this approach is that you can always change the policies without rewriting your API.
In your JWT you should have a claim in the body of the token that contains the user id of the requesting user. Before making an edit, you could check to see that the user_id value in your JWT matches the user_id value that user1 is attempting to edit. If the user_id's do not match, then reject the change.
String userId = getUserIdFromJwt();
if (!userId.equals("some user id")) {
throw new HttpUnauthorizedException("You do not have access to edit" +
"this resource.");
}
You have all the information about the current requesting user in the JWT so you are able to make assertions about the user.