Skip to main content

ASP.NET Core 2.1 Windows Authentication with DB Roles for Authorization Part 2

-
If you haven't read Part 1 of this post, here is a link: Part 1
I was really stuck on this issue, and I posted the previous section on my blog as well as a post on stack overflow, but in the end, I came up with a working solution. When using windows authentication, the ClaimIdentity had a RoleClaimType of groupsid which meant it could take a SID or String that was associated with an AD group and convert it back and forth, but since I was injecting roles from the database, there was no SID associated with them, and I needed the RoleClaimType to be role instead of groupsid. 
The ClaimIdentity had a RoleClaimType of "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"
and it needed to be a RoleClaimType of "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
Since this is a read-only property, I changed the TransformAsync method to create a new ClaimsPrincipal instead of trying to add database roles to the existing claims. My application doesn't require any of the AD groups, so it only uses windows for Authentication. The code below seems to work.
public class MyClaimsTransformer : IClaimsTransformation
    {
        private readonly IUnitOfWorkSecurity _unitOfWork;

        public MyClaimsTransformer(IUnitOfWorkSecurity unitOfWork)
        {
            _unitOfWork = unitOfWork;
        }

        // Each time HttpContext.AuthenticateAsync() or HttpContext.SignInAsync(...) is called the claims transformer is invoked. So this might be invoked multiple times. 
        public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
        {
            var identity = principal.Identities.FirstOrDefault(x => x.IsAuthenticated);
            if (identity == null) return principal;

            var user = identity.Name;
            if (user == null) return principal;

            //Get user with roles from repository.
            var dbUser = _unitOfWork.UserInformations.GetUserWithRoles(user);

            var claims = new List<Claim>();

            //The claim identity uses a claim with the claim type below to determine the name property.
            claims.Add(new Claim(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user, "Name"));

            //todo: We should probably create a cache for this
            // Get User Roles from database and add to list of claims.
            foreach (var role in dbUser.UserInformationUserRoles.Select((r=>r.UserRole)))
            {
                claims.Add(new Claim(ClaimTypes.Role, role.Name));
            }

            var newClaimsIdentity = new ClaimsIdentity(claims,"Kerberos","", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
            
            var newClaimsPrincipal = new ClaimsPrincipal(newClaimsIdentity);

            return new ClaimsPrincipal(newClaimsPrincipal);
        }  
    }
I have tested this in both my views and controllers and it works. I will probably want to add a user cache of some sort because this code makes a database call with every authentication request. Other than that, it seems like a pretty clean solution. If any of my readers have a better suggestion, please let me know in the comments.

EDIT:
I have created a solution and posted it on my github. https://github.com/jkarnopp/AspNetCoreWindowsAuthExample

Comments

  1. UnknownAugust 16, 2018 at 6:41 AM

    Hi Jim, any chance you could share the Visual Studio Soulution with us?

    ReplyDelete
    Replies
    1. Jim KarnoppAugust 30, 2018 at 12:20 PM

      Hello, sorry I didn't see your comment until just now. I will have to create a new solution with this in their, but I can do that, and I will post it soon.

      Delete
    2. UnknownSeptember 11, 2018 at 6:28 PM

      Thank you very much Jim :)

      Delete
  2. MattMoranSeptember 10, 2018 at 12:21 AM

    Hi Jim, many, many thanks for this post :)

    I've been looking but cannot seem to track down the IUnitOfWorkSecurity. Where does it live?

    cheers

    Matt

    ReplyDelete
  3. MayOctober 30, 2018 at 12:44 PM

    Hi Jim! Thank you so much for posting this! Did you get a chance to post the solution files? TIA! :)

    ReplyDelete
    Replies
    1. Jim KarnoppOctober 30, 2018 at 5:15 PM

      Hello May, thanks for reminding me. I meant to do that a while ago and forgot. Here is a link to my github with the solution: https://github.com/jkarnopp/AspNetCoreWindowsAuthExample

      Delete
    2. MayOctober 31, 2018 at 7:52 AM

      Thank you! You've made my day! :)

      Delete
  4. UnknownOctober 31, 2018 at 1:22 PM

    Thank you Jim ! :)

    ReplyDelete

Post a Comment

Popular posts from this blog

Asp.Net Core with Extended Identity and Jwt Auth Walkthrough

-
Image
  Quite often I think of an idea for an app where I would have a website and a mobile app that share the same functionality. Every time I start to prototype something like this I get stuck on authentication. When you build a web application in Asp.Net Core, it is really easy to set up the built-in Identity platform to allow users to login, but if you want to allow a mobile app to access APIs on the same site, that takes a lot more work. Of course, you can use a cloud-based authentication system like AzureAd or Firebase authentication, but if you arent housing any sensitive data, that's a lot of extra plumbing that takes away from building your application.  This walkthrough will show you how to create an Asp.Net core site with Asp.Net Core Identity for authentication and authorization. We will be extending the identity to include additional user information and roles. We will also add jwt authentication and authorization, so SPA's and mobile apps can use the API's and share...
Read more

File Backups to Dropbox with PowerShell

-
Image
I have had a number of instances where I had a virtual server somewhere, and I wanted to have a backup strategy, but the paid plans were overkill for what I needed. I have all my source code in Github, so everything can be rebuilt. I just need to be able to archive database backups and uploaded files. I decided to use a Dropbox account and set up a scheduled task that calls a PowerShell script that accesses the Dropbox web API. Setting up Dropbox You will need to have a Dropbox subscription set up and then you can go to the developer's section at the following link: {% embed url=" https://www.dropbox.com/developers " %} On the main page, select create apps. On the following page, you will have the option to select the scope of the app. Here you can decide to only access a single folder or give access to all of the Dropbox functions. Either option will work, in my example, I used the full access scope, so I would have the option of putting different file types in different...
Read more

Dynamic Expression Builder with EF Core

-
I was recently working on an ASP.NET Core MVC project where the end user wanted to have a search form with several fields with drop down boxes and a couple of free-form text fields. One of the requirements was to be able to put "*" at the front or the end of a search term in the text boxes to indicate a wildcard search. That was the way a previous application worked and they wanted to maintain the same functionality. Since I was working with Entity Framework Core using a generic repository pattern, I wanted to be able to dynamically build the filter expression that I passed to the repository. I created a static Expression builder class with static methods for creating each type of expression needed. public static class ExpressionBuilder { public static Expression GetStringExpression ( string dataModelProperty , string dtoProperty , Expression combinedExpression , ParameterExpression parameterExpression ) { if ( dtoProperty...
Read more