0

Building an ASP.NET MVC app with ASPNET identity with claim based authorization, wondering what should happen when an claim is expired.

e.g. In my claims, i stored a person's claim as claimtype ="Capability", claimvalue = "driver"

If this person's driver license is expired or withdrawn, then person should not have a claim of "driver".

In my system, normally nothing is deleted. So I would like to mark this claim as InActive(Boolean). However, the table ASPNET Identity provisioned doesn't have this column. So what I should do in this case?

Thanks.

anIBMer
  • 1,159
  • 2
  • 12
  • 20
  • Unable to understand exactly how you are consuming the "claim". can you share some code plz. – deostroll Mar 24 '14 at 08:39
  • sorry but I am in investigation and designing phase for this functionality. I am just wondering in ASPNETClaims Table, whether I should delete the claims once its expired, or i can deactivate it. – anIBMer Mar 24 '14 at 10:59

1 Answers1

2

The claims issued in the cookie are a snapshot of the claims at login time. If they change then you'd need to detect this on every request into the app and issue a new cookie. There's an event on the cookie authentication middleware provider called OnValidateIdentity where you can do this.

Brock Allen
  • 7,385
  • 19
  • 24