Skip to content
This repository has been archived by the owner. It is now read-only.

Add sample to show how to flow external claims and tokens to the local identity #6

Closed
Eilon opened this issue Nov 16, 2017 · 16 comments

Comments

@Eilon
Copy link
Member

commented Nov 16, 2017

@blowdart

This comment has been minimized.

Copy link
Member

commented Dec 14, 2017

Dupe of #6

@blowdart blowdart closed this Dec 14, 2017

@HaoK HaoK reopened this Dec 14, 2017

@HaoK

This comment has been minimized.

Copy link
Member

commented Dec 14, 2017

You closed the wrong bug @blowdart

@blowdart

This comment has been minimized.

Copy link
Member

commented Dec 14, 2017

rofl Ok I suck

@Tratcher

This comment has been minimized.

Copy link
Member

commented Dec 28, 2017

Also show using ClaimActions to map remote user data as claims.

@HaoK

This comment has been minimized.

Copy link
Member

commented Jan 2, 2018

@HaoK HaoK closed this Jan 2, 2018

@HaoK HaoK added 3 - Done task labels Jan 2, 2018

@gabosistvanpwc

This comment has been minimized.

Copy link

commented Jan 8, 2018

I don't think the external claims are copied over to the local identity just the authentication tokens are.

The code below is addressing only the tokens:

if (result.Succeeded)
{
    // Store the access token and resign in so the token is included in the cookie
    var user = await _userManager.FindByLoginAsync(info.LoginProvider, info.ProviderKey);
    var props = new AuthenticationProperties();
    props.StoreTokens(info.AuthenticationTokens);
    await _signInManager.SignInAsync(user, props, info.LoginProvider);
 
    _logger.LogInformation("{Name} logged in with {LoginProvider} provider.", info.Principal.Identity.Name, info.LoginProvider);

   return LocalRedirect(Url.GetLocalUrl(returnUrl));
}

Please correct me if I'm missing something and point me to the code which facilitates the flow of the claims.

Thank you!

@HaoK

This comment has been minimized.

@gabosistvanpwc

This comment has been minimized.

Copy link

commented Jan 8, 2018

I don't think this is the expected behavior. The code

await _userManager.AddClaimAsync(user, info.Principal.FindFirst(ClaimTypes.Gender));

is storing permanently the claim into the DB and the claim will be loaded every time the user logs in regardless of the authentication type. So even if the user logs in directly to the system,for ex. not through WsFederation it will have the claims added previously by the federated login.

Also in the case of multiple authentication sources the claims might have the same name and different values in which case there will be multiple claims stored in the database with different values and the system can not match them up with the current authentication process.

I think the desired behavior would be to write the external claims just to the identity cookie to facilitate the multiple login scenarios.

Please let me know if I'm wrong here.

Thank you!

@Tratcher

This comment has been minimized.

Copy link
Member

commented Jan 8, 2018

This is the registration phase where you learn information about the user. It's convenient to pull that from their remote profile rather than asking them to fill it in.

And yes, if there are multiple auth sources you'll have to rationalize the information provided by the various sources.

@gabosistvanpwc

This comment has been minimized.

Copy link

commented Jan 9, 2018

Is there any way to flow the external claims to the local identity when logging in? I was thinking this was the main goal of this issue, at least that is what I've tried to point out in the issue that I have posted ( aspnet/Identity#1529 ) and was marked as a duplicate for this current one.

@Tratcher

This comment has been minimized.

Copy link
Member

commented Jan 9, 2018

So it's a temporary claim like a role? Something you expect to change between sessions?

@HaoK

This comment has been minimized.

Copy link
Member

commented Jan 9, 2018

Identity expects to fully control the principal generation, you can probably get this to work by having a custom IUserClaimsPrincipalFactory that has logic that looks for the external cookie and copies over claims if it finds it into the local identity when generating the identity for the cookie.

Basically the implementation of GenerateClaimsAsync(TUser) would need to call HttpContext.AuthenticateAsync(IdentityConstants.ExternalScheme) and then add whatever claims you want to the list returned

@gabosistvanpwc

This comment has been minimized.

Copy link

commented Jan 9, 2018

One of my use cases is described in more detail at the aspnet/Security#1574 link.

1 var info = await _signInManager.GetExternalLoginInfoAsync();
2 
3 if (info == null)
4 {
5    return RedirectToAction(nameof(Login));
6 }
7
8 // Sign in the user with this external login provider if the user already has a login.
9 var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false, bypassTwoFactor: true);

Basically what I need is to add custom claims to the identity generated cookie/principal, for ex. to have an overload for the ExternalLoginSignInAsync method which allows to inject the claims from the "info" variable over to the identity cookie generated in line 9.

I don't think I can look for the external cookie since I can not have access to cookies issued for other websites and the "internal cookie" which is used by line 1 to read in the external claims is removed after line 9 is executed. So calling _signInManager.GetExternalLoginInfoAsync after line 9 will return null.

@gabosistvanpwc

This comment has been minimized.

Copy link

commented Jan 9, 2018

Tratcher : So it's a temporary claim like a role? Something you expect to change between sessions?

Yes

@HaoK

This comment has been minimized.

Copy link
Member

commented Jan 9, 2018

You should have access to the external cookie if you are using identity's get external login info method, that means you have an IdentityConstants.ExternalScheme scheme which will give you the corresponding ClaimsPrincipal for the external provider when you call HttpContext.Authenticate(IdentityConstants.ExternalScheme)

@HaoK

This comment has been minimized.

Copy link
Member

commented Jan 9, 2018

So plug in your own IUserClaimsPrincipalFactory which is called during ExternalLoginSignInAsync, and have it look at the external cookie to add the claims.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
5 participants
You can’t perform that action at this time.