AspNet Identity UserManager Find with Select (optimal sql query) - sql

I have wcf fulRest service with AspNet Identity. My android app use this web service to communicate with database - I use ssl to make connection secure (my app is a mini game so it doesn't contain so important data, I belive that ssl is enough protection in this case).
I have function LoginUser(string userName, string unHashedPassword), if user exsists it returns user's id. In all other functions this id is used if action need information of curUser - for example I have function addComment(string userId, string msg) (this kind of methods still use ssl to protection of unwanted handle userId).
In LoginUser I get id (and a little more information like e-mail, gameLogin) by use:
using (var userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(_context)))
{
ApplicationUser user = userManager.Find(userName, password);
if (user != null)
{
result = new LogInBaseData()
{
Id = user.Id,
Email = user.Email,
Login = user.ApplicationLogin
};
}
}
But function Find generate huge query with select many unneeded data for me. Is any way to optimalizace it? I prefer do it by context.User.Where().Select() but I can't hash user's password.

Related

.net core 3.1 & identity issue (claims nameidentifier has an id that doesn't match any user, while claims name is right)

I'm having an issue in an area of my website where i need to retrieve the user Id, i tried both by using the HttpContext.User and the injected IHttpContextAccessor, both give me an id that 1) doesn't match the user and 2) doesn't even exist in my database!
I also tried injecting a UserManager and calling GetUserId on it and that too gives me the wrong id (once again, no clue where from, it's not in the database). Calling GetUserAsync on it returns null.
I'm not using anything special nor fancy, the default page included with idendity core to log in, just a context that inherits from IdentityDbContext, and the login part works just fine as those pages are behind an Authorize tag and do force me to log in. If i was getting an error to begin with i could dig but i'm just getting an Id that seems to come from nowhere and am at a loss at where to look.
Here's what the claims look like when calling
HttpContext.User.Claims.ToList()
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: f478bf7a-1734-494c-aad6-0882ab24007f} <-- this id is not present in AspNetUsers table
[1]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: EDITED OUT FOR PRIVACY} <-- my correct username (my email)
[2]: {AspNet.Identity.SecurityStamp: EDITED OUT}
[3]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Administrator} <-- correctly finds my role too
You can use the following code to get the UserId
using System.Security.Claims;
using Microsoft.AspNetCore.Identity;
var claimsIdentity = (ClaimsIdentity)this.User.Identity;
var claim = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier);
var userId = claim.Value;
I had that problem for using this in ExternalLoginCallback:
var user = new SmileAppUser { UserName = email, Email = email };
await _signInManager.SignInAsync(user, isPersistent: false);
Try to retrieve the user from the database to include the id in the claims with SignInAsync.

Adding and accessing claims in asp net core 3.0 using built in Identity server

I'm currently failing at wrapping my head around claims. I have a ASP.Net Core 3 project with the angular template and users stored in app.
I want to add claims to my users, reading up on I thought it would be easy, just add something along the lines of
await _UserManager.AddClaimAsync(user, new Claim(AccountStatic.ClaimTypes._Claim_Id, user.Id));
When you create the user, and then get it back using the below line once they are logged in again:
User.FindFirst(AccountStatic.ClaimTypes._Claim_Id)?.Value;
This does however not work. I can see the claims being written to AspNetUserClaims table in my database but it's not there in the users claims when they log in. There are a few other claims there, but not the ones I have added.
Do I need to define somewhere which of the users claims get included when they log in?
Edit.
I found a post stating that I need to add claims using a DI AddClaimsPrincipalFactory. So I added this class.
public class UserClaimsPrincipalFactory : UserClaimsPrincipalFactory<ApplicationUser>
{
public UserClaimsPrincipalFactory(UserManager<ApplicationUser> userManager,IOptions<IdentityOptions> optionsAccessor): base(userManager, optionsAccessor)
{}
//https://levelup.gitconnected.com/add-extra-user-claims-in-asp-net-core-web-applications-1f28c98c9ec6
protected override async Task<ClaimsIdentity> GenerateClaimsAsync(ApplicationUser user)
{
var identity = await base.GenerateClaimsAsync(user);
identity.AddClaim(new Claim(AccountStatic.ClaimTypes.Claim_Id, user.Id ?? "[no id]"));
return identity;
}
}
And if I step through the code I can see the claims being added here. But in the Controller my custom claims are not present.
internal string GetUserId()
{
if (User.Identity.IsAuthenticated == false)
return null;
return User.FindFirst(AccountStatic.ClaimTypes.Claim_Id)?.Value;
}
Update. Ok I find this very strange. I have been trying to do what others claim work but for me nothing gets me the users name or id. inspecting the User I get the following. Nothing here contains any reference to the logged in user.
Update 2:
Just noticed that there is actually an Id in there: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: ed107a11-6c62-496b-901e-ed9e6497662a} Seems to be the users id from the database. Not sure how to access it yet though.
These return null.
User.FindFirst(JwtRegisteredClaimNames.NameId)?.Value;
User.FindFirst("nameidentifier")?.Value;
User.FindFirst("NameIdentifier")?.Value;
Another update
I'm using a UserClaimsPrincipalFactory and breakingpointing it and looking at the Claims I can see that all of the ones I want are there. But again, these are not available in my API controllers as seen in the first picture.
I finally understood the problem, in large parts thanks to Ruard van Elburgs comments, and the answer he made in the linked question IdentityServer4 Role Based Authorization.
The problem is that the claims are not added to the access token.
There are two tokens, the access token and the identity token.
- Ruard van Elburg
They key to understanding what was going on was finding out that there are two tokens, and that they contain different claims and have different purposes.
You can force claims from one token to also be included in the other if you deem it necessary.
The solution to my problem was to add this in Startup.ConfigureServices
services
.AddIdentityServer(options => {})
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options =>
{
foreach (var c in options.ApiResources)
{
// the string name of the token I want to include
c.UserClaims.Add(AccountStatic.ClaimTypes.Claim_Id);
}
});
I still have not figured out how to get the Identity token, but as I'm now including the user Id in the access token my problems are solved for the moment.

StackService: Preempt user logins and assign roles and permissions on login

I'm looking for a way to assign Roles and Permissions to a user whose email I know but has not yet logged into my service. Auth is done using external auth providers (aad).
I played around with clearing the UserAuth and UserAuthDetails tables and then creating a bare minimum UserAuth entry that anticipates my login (id, email, username and dates) but upon signing in another UserAuth entry was created to go along with the new UserAuthDetails row.
Right now I'm (getting away with) hardcoding roles (and other metadata) and applying them during OnAuthenticated. At some point I might have to reluctantly move this to a table in the database so I can add pre-emptive access assignment during runtime.
Ideally I should be able to pre-create UserAuth rows with the appropriates Roles and Permissions that anticipate that users login using a provider that matches the email. Can I add this functionality through ServiceStack's extension mechanisms without actually modifying the underlying AuthenticateService?
Unless you know exactly what UserAuth to create, I'd still modify them in OnAuthenticated() but you can source them from a custom CreateRole table which lists the Role that should be created against a users Email that way you can assign it to them when they authenticate, e.g:
public override void OnAuthenticated(IServiceBase authService,
IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
using (var db = authService.TryResolve<IDbConnectionFactory>().Open())
{
var q = db.From<CreateRole>().Where(x => x.Email == session.Email);
var userRoles = db.Column<string>(q.Select(x => x.Role));
var authRepo = authService.TryResolve<IAuthRepository>();
var userAuth = authRepo.GetUserAuth(session, tokens);
authRepo.AssignRoles(userAuth, roles: userRoles);
}
}

Act on Behalf of different user / XrmServiceContext.CallerID

I have created a XrmServiceContext using svcutil.exe for my CRM 2013 database, this is working great and I can retrieve data from CRM in my MVC4 application.
My website is running SSO using ADFS2 and I can retrieve the accessing users identity using:
Microsoft.IdentityModel.Claims.IClaimsIdentity ci = Thread.CurrentPrincipal.Identity as Microsoft.IdentityModel.Claims.IClaimsIdentity;
var accountNameClaim = ci.Claims.Where(x => x.ClaimType.ToLower().EndsWith("windowsaccountname")).FirstOrDefault();
this gives me something along the lines of
string accountNameClaim = "firstname.lastname#domain.com"
Using this I can retrieve the user form CRM 2013 XrmServiceContext
var user = _serviceContext.SystemUserSet
.Where( x=> x.DomainName == accountNameClaim)
.Select(s => new UserInformationProxy()
{
Id = s.Id, // this is probably needed for impersonation
FullName = s.FullName,
DomainName = s.DomainName
})
.FirstOrDefault();
Now I'm wondering how I act as / impersonate this user for all my subsequent queries to CRM using my XRMServiceContext.
This page http://msdn.microsoft.com/en-us/library/gg309629.aspx has a guide which suggests I need to set a variable called CallerID in OrganizationServiceContext which I'm guessing is contained somewhere inside my XRMServiceContext.. But I cannot find it.
The CallerId property is not on the OrganizationServiceContext but on the OrganizationServiceProxy that is used by the context:
When you are constructing the context, you are passing in an organization service intance. Prior to that, you need to set the CallerId:
organizationService.CallerId = user.Id;
var _serviceContext = new OrganizationServiceContext(organizationService);
Please note that the CallerId is only available on the OrganizationServiceProxy type, not on the interface IOrganiaztionService. I can't see how you obtain the organization service, but make sure it's an OrganizationServiceProxy.

Login as user without password (For an Admin Use-Case.)

To check if the view of a user is working or to make change out of the users view point (in development) it can be quite useful to incarnate a certain user.
How would I do this with Meteor? Best would be a solution which is independent of the Account Authentication.
To impersonate a user in production, you can call setUserId on the server, and Meteor.connection.setUserId on the client. For more details, see my blog post.
If you're using Meteor.userId() and Meteor.user() to identify your person in your javascript you could use something like this to override it at the very top of your client js
Meteor.userId = function (impersonate_id) {
return (impersonate_id) ? impersonate_id : Meteor.default_connection.userId();
}
Meteor.user = function (impersonate_id) {
var userId = Meteor.userId(impersonate_id);
if (!userId)
return null;
return Meteor.users.findOne(userId);
}
And now when you use Meteor.userId or Meteor.user modify your code so everywhere you use Meteor.user & Meteor.userId accepts an argument. So when you want to impersonate a user just pass it argument of the _id of the user you want to log in as
Meteor.user("1"); //Loads the data for user with _id 1
Meteor.user(); //Loads the actual logged in user
Also this will only work if you're actually the admin and your publish function allows you to see all your user's data