10

I'm implementing Asp.NET MVC application with Identity 2.x Authentication and Authorization model.

During LogIn process I add Custom Claims (not persisted in the DB!), deriving from data passed in the LogIn from, to the Identity and I can correctly access them later on, until the identity gets regenerated. 

    [HttpPost]
    [AllowAnonymous]
    [ValidateHeaderAntiForgeryToken]
    [ActionName("LogIn")]
    public async Task<JsonResult> Login(LoginViewModel model, string returnUrl)
    {
        if (!ModelState.IsValid)
            return Json(GenericResponseViewModel.Failure(ModelState.GetErrors("Inavlid model", true)));


        using (var AppLayer = new ApplicationLayer(new ApplicationDbContext(), System.Web.HttpContext.Current))
        {
            GenericResponseViewModel LogInResult = AppLayer.Users.ValidateLogInCredential(ref model);
            if (!LogInResult.Status)
            {
                WebApiApplication.ApplicationLogger.ExtWarn((int)Event.ACC_LOGIN_FAILURE, string.Join(", ", LogInResult.Msg));
                return Json(LogInResult);
            }

            ApplicationUser User = (ApplicationUser)LogInResult.ObjResult;

            // In case of positive login I reset the failed login attempts count
            if (UserManager.SupportsUserLockout && UserManager.GetAccessFailedCount(User.Id) > 0)
                UserManager.ResetAccessFailedCount(User.Id);

            //// Add profile claims for LogIn
            User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "Culture", ClaimValue = model.Culture });
            User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CompanyId", ClaimValue = model.CompanyId });


            ClaimsIdentity Identity = await User.GenerateUserIdentityAsync(UserManager, DefaultAuthenticationTypes.ApplicationCookie);

            AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = true }, Identity);

            WebApiApplication.ApplicationLogger.ExtInfo((int)Event.ACC_LOGIN_SUCCESS, "LogIn success", new { UserName = User.UserName, CompanyId = model.CompanyId, Culture = model.Culture });

            return Json(GenericResponseViewModel.SuccessObj(new { ReturnUrl = returnUrl }));

        }

    }

The validation process is defined in the OnValidationIdentity which I havn't done much to customize. When the validationInterval goes by (...or better said the half way to the validationInterval) Identity gets re generatd and Custom Claims are lost.

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),

            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                   validateInterval: TimeSpan.FromMinutes(1d),
                   regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager, DefaultAuthenticationTypes.ApplicationCookie))

            },
            /// TODO: Expire Time must be reduced in production do 2h
            ExpireTimeSpan = TimeSpan.FromDays(100d),
            SlidingExpiration = true,
            CookieName = "RMC.AspNet",
        });

I think I should some how be able to pass the current Claims to the GenerateUserIdentityAsync so that I can re add Custom Clims, but I don't know how to.

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, string authenticationType)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
        // Add custom user claims here
        // ????????????????????????????

        return userIdentity;
    }

Any help is appreciated.

Thanks

l.raimondi
  • 389
  • 2
  • 14

2 Answers2

13

Problem solved (it seemms), I post my solution since I havn't found may appropriate answers and I think it might be useful to others.

The right track was found in an answer to the question Reuse Claim in regenerateIdentityCallback in Owin Identity in MVC5

I just had modify a little the code since the UserId in my case is of type string and not Guid.

Here is my code:

In Startup.Auth.cs

 app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),

            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  

                //OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                //   validateInterval: TimeSpan.FromMinutes(1d),
                //   regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager, DefaultAuthenticationTypes.ApplicationCookie))

                OnValidateIdentity = context => SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser, string>(
                   validateInterval: TimeSpan.FromMinutes(1d),
                   regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager, context.Identity),
                   getUserIdCallback: (ci) => ci.GetUserId()).Invoke(context)

            },
            /// TODO: Expire Time must be reduced in production do 2h
            //ExpireTimeSpan = TimeSpan.FromDays(100d),
            ExpireTimeSpan = TimeSpan.FromMinutes(2d),
            SlidingExpiration = true,
            CookieName = "RMC.AspNet",
        });

NOTE: Please note that in my sample ExpireTimeSpan and validateInterval are ridiculously short since the purpose here was to cause the most frequest re validation for testing purposes.

In IdentityModels.cs goes the overload of GenerateUserIdentityAsync that takes care of re attaching all custom claims to the Identity.

    /// Generates user Identity based on Claims already defined for user.
    /// Used fro Identity re validation !!!
    /// </summary>
    /// <param name="manager"></param>
    /// <param name="CurrentIdentity"></param>
    /// <returns></returns>
    public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

        // Re validate existing Claims here
        userIdentity.AddClaims(CurrentIdentity.Claims);


        return userIdentity;
    }

It works. Not really sure if it is the best solution, but in case anyone has better approaches please feel free to improve my answer.

Thanks.

Lorenzo

ADDENDUM

After some time using it I found out that what implemented in GenerateUserIdentityAsync(...) might give problems if used in conjunction with @Html.AntiForgeryToken(). My previous implementation would keep adding already existing Claims at each revalidation. This confuses AntiForgery logic that throws error. To prevent that I've re implemnted it this way:

    /// <summary>
    /// Generates user Identity based on Claims already defined for user.
    /// Used fro Identity re validation !!!
    /// </summary>
    /// <param name="manager"></param>
    /// <param name="CurrentIdentity"></param>
    /// <returns></returns>
    public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

        // Re validate existing Claims here
        foreach (var Claim in CurrentIdentity.Claims) {
            if (!userIdentity.HasClaim(Claim.Type, Claim.Value))
                userIdentity.AddClaim(new Claim(Claim.Type, Claim.Value));
        }

        return userIdentity;
    }

}

ADDENDUM 2

I had to refine further me mechanism because my previosu ADDENDUM would lead in some peculiar cases to same problem described during re-validation. The key to the current definitive solution is to Add Claims that I can clearly identify and Add only those during re-validation, without having to try to distinguish betweeb native ones (ASP Identity) and mine. So now during LogIn I add the following custom Claims:

 User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CustomClaim.CultureUI", ClaimValue = UserProfile.CultureUI });
 User.Claims.Add(new ApplicationIdentityUserClaim() { ClaimType = "CustomClaim.CompanyId", ClaimValue = model.CompanyId });

Note the Claim Type which now starts with "CustomClaim.".

Then in re-validation I do the following:

  public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser, string> manager, ClaimsIdentity CurrentIdentity)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

        // Re validate existing Claims here
        foreach (var Claim in CurrentIdentity.FindAll(i => i.Type.StartsWith("CustomClaim.")))
        {
            userIdentity.AddClaim(new Claim(Claim.Type, Claim.Value));

            // TODO devo testare perché va in loop la pagina Err500 per cui provoco volontariamente la duplicazioen delle Claims
            //userIdentity.AddClaims(CurrentIdentity.Claims);

        }

        return userIdentity;
    }

userIdentity does not contain the Custom Claims, while CurrentIdentity does contain both, but the only one I have to "re attach" to the current Identity are my custom one.

So far it is working fine, so I'll mark this as teh answer.

Hope it helps !

Lorenzo

Community
  • 1
  • 1
l.raimondi
  • 389
  • 2
  • 14
  • With asp.net core 5, the UseCookieAuthentication method has been changed. How can we solve this problem with asp.net core 5? – Baran Aug 24 '21 at 13:26
  • @Baran Check out this answer for .NET 6: https://stackoverflow.com/a/76790172/8644294 – Ash K Jul 28 '23 at 18:28
0

Ohh lord i got tired of trying to get this to work, i just modified the SecurityStampValidator to take a context that i could pull the Identity out of to update accordingly in my User class. as far as i can tell there is no way to directly extend it. Updating claims from manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie); had no affect using GenerateUserIdentityAsync

var validator = MySecurityStampValidator
    .OnValidateIdentity<ApplicationUserManager, ApplicationUser, Guid>(
        validateInterval: TimeSpan.FromSeconds(2),
        regenerateIdentityCallback: (manager, user, claims) => user.UpdateUserIdentityAsync(claims),
        getUserIdCallback: (id) => id.GetUserGuid());

var cookieAuthenticationOptions = new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    Provider = new CookieAuthenticationProvider
    {
        // Not called on signin
        OnValidateIdentity = validator
    }
};

And then copied the owin class but added the context to it that would be passed into my regenerateIdentityCallback

static class MySecurityStampValidator
{
    public static Func<CookieValidateIdentityContext, Task> OnValidateIdentity<TManager, TUser, TKey>(
        TimeSpan validateInterval,
        Func<TManager, TUser, ***ClaimsIdentity***, Task<ClaimsIdentity>> regenerateIdentityCallback,
        Func<ClaimsIdentity, TKey> getUserIdCallback)
        where TManager : UserManager<TUser, TKey>
        where TUser : class, IUser<TKey>
        where TKey : IEquatable<TKey>
    {

......

And then in my user i just

public override async Task<ClaimsIdentity> UpdateUserIdentityAsync(ClaimsIdentity userIdentity)
{
    userIdentity.RemoveClaim(CustomClaimTypes.CLAIM1);
    userIdentity.RemoveClaim(CustomClaimTypes.CLAIM2);
    
    if (Access1Service.GetService().UserHasAccess(Id))
    {
        userIdentity.AddClaim(new Claim(CustomClaimTypes.CLAIM1, "1"));
    }

    if (Access2Service.GetService().UserHasAccess(Id))
    {
        userIdentity.AddClaim(new Claim(CustomClaimTypes.CLAIM2, "1"));
    }

    return userIdentity;
}
Ricardo Saracino
  • 1,345
  • 2
  • 16
  • 37