During moving one system from classic ASP.NET MVC to ASP.NET Core I faced an interesting challenge. Although access to system is based on Active Directory there is separate role management based on classic membership and roles providers. There are reasons why AD is not used for role management and I cannot change it. ASP.NET Core uses claims-based authentication and I needed to find a way to add role claims to authenticated Identity. Here’s the solution.
How things does not work
Adding claims to Existing Identity seems like small task to accomplish. But, well, it doesn’t go so easy. We can build middleware class and try something like shown here.
foreach(var role in user.Roles)
{
var claim = new Claim(newIdentity.RoleClaimType, role.Name);
identity.AddClaim(claim);
}
But it doesn’t work with existing identity. No errors, code runs smooth but role claims are just ignored.
Using claims transformation
There’s correct way to edit existing identity and it’s called Claims Transformation. Basically we have to write a custom class that implements IClaimsTransformation interface. Documentation doesn’t give much information about it but most important thing is said – we need to clone given identity.
In short, here’s how the process goes:
- Clone current user identity
- Add custom claims
- Return cloned identity
Here’s my claims transformation that adds roles to user identity. Notice that I can use dependency injection to inject instances of service classes to my claims transformation. Remember important trick – we need a clone of current identity to make things work.
public class AddRolesClaimsTransformation : IClaimsTransformation
{
private readonly IUserService _userService;
public AddRolesClaimsTransformation(IUserService userService)
{
_userService = userService;
}
public async TaskClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
// Clone current identity
var clone = principal.Clone();
var newIdentity = (ClaimsIdentity)clone.Identity;
// Support AD and local accounts
var nameId = principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier ||
c.Type == ClaimTypes.Name);
if (nameId == null)
{
return principal;
}
// Get user from database
var user = await _userService.GetByUserName(nameId.Value);
if (user == null)
{
return principal;
}
// Add role claims to cloned identity
foreach(var role in user.Roles)
{
var claim = new Claim(newIdentity.RoleClaimType, role.Name);
newIdentity.AddClaim(claim);
}
return clone;
}
}
The final thing to do is to register claims transformation with dependency injection in ConfigureServices() method of Startup class.
services.AddScopedIClaimsTransformation, AddRolesClaimsTransformation>();
Considering you have authentication already configured and it works, the registered transform will get to authentication flow.
Wrapping up
Although adding few claims to existing identity seems like piece of cake, it is not so easy. We cannot just add claims to existing identity and hack it. Claims transformation as custom implementation of IClaimsTransformation interface is the tool we need to use to add claims to existing identity. As we saw we don’t modify existing identity but we clone it, add claims and then return the cloned instance.
The post Adding claims to existing identity appeared first on Gunnar Peipman - Programming Blog.