2

We're using reference tokens and need to have claims and other info available on every request. For example, I need to be able to use Authorize or ResourceAuthorize to make sure a user has a role to protect access to certain controllers. How can I actually make it so the claims are available?

Pugz
  • 939
  • 3
  • 11
  • 25

1 Answers1

1

If you are using the IdentityServer3.AccessTokenValidation middleware, then the reference token will automatically be de-referenced against IdentityServer and the claims will be made available in the User of your Web API controller code (or from the User on the AuthenticationManager in the OwinContext).

The claims will be the user claims produced at the time the reference token was created, and they are not updated from the user service each time you de-reference the token.

Brock Allen
  • 7,385
  • 19
  • 24
  • Does this happen automatically for every request so that the most up-to-date claims on the IDS server are always used or do you have to do anything extra to make sure the latest claims are in effect for each request? – Pugz May 24 '16 at 19:20
  • The de-referencing happens automatically, but the claims are the values at the time the client makes the initial request. Updating the claims on every time the token is used is not currently implemented. – Brock Allen May 25 '16 at 00:12
  • So how would one go about updating the claims for every request? – Pugz May 25 '16 at 00:32
  • Do you really want that? How often do the claims change? If the claims you need change that frequently, then don't put them into the token and instead make a DB call from your app. Then the only claim you need in the token is the user's unique id. – Brock Allen May 25 '16 at 12:27
  • Do you mean to have some sort of claims mechanism outside of IDS implemented at the application level that just depends on the user ID? – Pugz May 25 '16 at 14:41
  • Something like that. Or even easier -- you can use the reference token at the user info endpoint.... I'd have to double check but that might work. – Brock Allen May 25 '16 at 20:07
  • 1
    The system I have implemented currently is similar to that, it will hit that end point every time the page is refreshed or the user goes to a different page on that application. Do you see a problem with this implementation? – Pugz May 26 '16 at 16:00
  • 1
    Other than perf? Like I said, if the value changes so frequently and you need the latest, then you gotta do what you gotta do. – Brock Allen May 26 '16 at 16:37