0

I have VS2013 MVC5 project with Individual User Accounts. I modified Startup {Configuration(IAppBuilder app)} so that UseOpenIdConnectAuthentication is the only allowed authentication.

Users can register in the AspNetIdentity DB using the out of the box MVC project template plumbing. After registration, Users login with OIDC.

The OpenID Connect STS (IdentityServer3 with AspNetIdentity) returns a security token with claims and roles. These claims are available from the authenticated ClaimsPrincipalin the Request.GetOwinContext().Authentication.User.

However these claims are missing from the Controller.User (Current HTTP Request context).

Is it a good thing to make the two ClaimsPrincipal match?

QUESTION: If so how and where do I do that? I'm not an expert and wonder what about OpenIdConnectAuthenticationNotifications.SecurityTokenValidated or Application_PostAuthenticateRequest?

I realize this is a side-effect of mixing MVC5 System.Web with OWIN middleware for OpenIdConnect, rather than the default MVC5 project authentication middleware.

subsci
  • 1,740
  • 17
  • 36
  • I'm glad to see you've got OIDC working with IdentityServer3 and AspNetIdentity. I'm struggling to get mine working with an error that the client is unknown or unauthorized. I posted my question here:http://stackoverflow.com/questions/29607527 Any chance you can look and advise? – Shawn de Wet Apr 13 '15 at 14:14

1 Answers1

1

if you are working with ASP.NET 4.6 and Katana 3.x you should be able to access the claims you want from ClaimsPrincipal.Current.

See the comment below

subsci
  • 1,740
  • 17
  • 36
vibronet
  • 7,364
  • 2
  • 19
  • 21
  • thank you; yes I know ClaimsPrincipal.Current. My question really wants to ask where in the pipeline should that be done? I proposed inserting code into one of two methods (named above) or somewhere else; where should I put it? – subsci Mar 02 '15 at 20:54
  • I am not sure I am following. If ClaimsPrincipal.Current contains the claims you need, and ClaimsPrincipal.Current is available in the code scope in whihc you want to consume those values, why do you want to copy them elsewhere as well? – vibronet Mar 02 '15 at 21:54
  • 1
    As I have a MVC app, for convenience, it is useful if the Controller.User has information from the claims initialized by the Open ID Connect. E.g. the VS MVC template code uses the Controller.User. It's just that simple. – subsci Mar 04 '15 at 17:11
  • 2
    The thing I am not following is - if the claims are already available in ClaimsPrincipal.Current, when you need to access those values you can simply go through it. If you want to go through Controller.User, you still need to write values accessor code (this time against Controller.User) AND you have to write code for making the deep copy of all the claims from the ClaimsPrincipal to Controller.User. And - the deep copy code has to be executed at every request. If you really want to do it: placing it in SecurityTokenValidated is more flexible. – vibronet Mar 04 '15 at 17:24
  • thank you for the insightful comment. I marked your answer as accepted and added a line in your answer referring to your previous comment. – subsci Mar 04 '15 at 18:47