In Asp.Net Identity there is class called IdentityUserclaim. When should I assign one to user? What are the advantages of assigning IdentityUserClaim to a user?
Its just an easy way for you to store arbitrary claims in the user db that will automatically get added to the User.Identity ClaimsPrincipal that is generated for the user when they sign in.
Related
I'm using external logins for my asp.net core mvc website, and when the login completes I want to store the social info they used to login (such as username, profile image, etc.) as claims in the user's identity...
So I run code like this in my account controller after a successful login:
var authClaim = user.Claims.FirstOrDefault(c => c.ClaimType == authToken.Name);
if (authClaim == null)
externalClaims.Add(new Claim(authToken.Name, authToken.Value));
else
authClaim.ClaimValue = authToken.Value;
if (externalClaims.Any())
await _userManager.AddClaimsAsync(user, externalClaims);
await _userManager.UpdateAsync(user);
however when I attempt to do this, the claims table is duplicating the claims rather than updating them as I expected, so every time the user logs in I get another collection of records in the table for that user that are identical to the last.
do I have to delete them and re-add them instead on every login? if not, how do I update existing claims without duplicating them?
I'm doing it on every login in case the user has changed their profile or other info (and to make sure I have the most up to date token).
I'm also curious why I add the claims to the main Identity of the user. The User has a property called ExternalClaims, but it is empty and there doesn't appear to be any way to update it. It seems to me this is a better place to put these third-party Claims, but I can't for the life of me find any way to modify it...
either way, I'm sure I'd have the same problem if I use this code, so is the proper course to delete the claim on login and always add it new, or should I be doing something differently?
I am working on adding a user manager module to an application. It has a database and this database has a table of users and a table of user claims so that each user can have mulotiple claims. However, when I use usermanager to get Users.ToList() each user has its claims collection set to 0 entries even if the user in question does have claims listed in the user claims table.
It appears obvious to me that for some reason just doing usermanager.Users.Tolist() does not cause the code to consult the user claims table to check what claims each user has.
So the question is where and how to insert code that does exactly that.
Some potential issues with the existing code:
1. They have made a subclass of the IdentityUser so the UserManager is defined to be a usermanager of that subclass. But there is no explicit subclass of the usermanager. I am contemplating creating a subclass of UserManager for that purpose and if so I could override the Users property so that reading the Users list caused it to populate each user entry with the claims for that user. Does that sound like a clean way of doing it?
In some other stack overflow question I saw a reference to a Startup.Auth.cs file. We have a Startup.cs file but no Startup.Auth.cs file, should we make one?
Thank you in advance for any input.
If you used the ASP.Net identity template when you created your project, you must have a Startup.Auth.cs, it could be hidden as a sub-file of Startup.cs, or in the App_Start folder etc.
If trying to bypass the UserManager, when you request your user from EF, make sure you .Include(...) the claims property. For example:
dbcontext.Users.Include(u => u.Claims).FirstOrDefault(...);
Better yet, you should be using UserManager:
var userManager = HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
var claims = userManager.GetClaims(userId);
I have a custom set of roles that is supposed to be used in a multi-tenant app.
AbpRoles table has a column titled "TenantId" (nullable).
Problem is that if I leave this field with a null value, a user per certain tenant cannot be recognized as being related to a certain role. But if an AbpRole record has tenant id value - all works pretty well.
The bottomline is:
my code has to be creating the same set of roles for each tenant, so I'm just wondering if it's possible to have common set of roles for all tenants.
If the TenantId value is null for AbpRole record and I wrap the code that checks if user belongs to a role
User.IsInRole("Employee")
into this block
using (_unitOfWorkManager.Current.DisableFilter(AbpDataFilters.MayHaveTenant))
the problem is still not solved.
Sorry for late answer. For the guys looking an answer for this question;
Roles should be created per tenant. If you are using single tenant then you have use the Default tenant's id. As a result you can not share a role. If you insist on sharing roles btw tenants you have to disable MayHaveTenant everytime you make operation on role.
I am making a WebAPI service. I just used the ASP.NET WebAPI template with authentication. I was wondering how can we restrict DB entity access for those users who are already logged in. With [Authorize] we can restrict unauthorized users, which I have done. After login, they can access anything right now. Eg: I have a table Bill. With BillId, users who are authorized can access any entry in Bill table. How to restrict this? Currently Bill table has no relation with UserIdentity tables!!.
After thinking about the scenario, I have a solution [Not sure the best]. In all my controllers I can get the Userid [Authenticated user's id]. When a user adds data to any entity, I will add userid as a column to that entity and store userid. When any user looks for a resource, he will get only those resources which are of his Userid. I am not giving any relation to any user table but just adding the userid to all entities as a new column.
I am using asp.net MVC 5 identity 2.0
The administrator is able to change user’s role but used must re-log to see the changes. First thought was to re-log user manually but I failed. After that I thought of dynamically changing user’s role or something else. Could you provide me the right way?
I set user’s role using UserManager.AddToRolesAsync
I have tried a lot of things like:
var memberUser = Membership.GetUser(user.UserName.ToString());
if (memberUser.IsOnline)
{
FormsAuthentication.SignOut();
}
or also try to clean up my cookies.
I dunno how I can sign out another user.
Also I have read articles like these
http://w3facility.org/question/mvc-5-addtorole-requires-logout-before-it-works/
How do I forcefully propagate role changes to users with ASP.NET Identity 2.0.1?
How to force logout user when his/her username is changed by another user?
ASP.net Identity 2.0 Sign-out another user
Have a look at the answer provided by Hao Kung on this post he describes exactly how to solve this using the SecurityStamp .
https://stackoverflow.com/a/19505060/1454538
So the primary purpose of the SecurityStamp is to enable sign out
everywhere. The basic idea is that whenever something security related
is changed on the user, like a password, it is a good idea to
automatically invalidate any existing sign in cookies, so if your
password/account was previously compromised, the attacker no longer
has access.
In 2.0.0 we added the following configuration to hook the
OnValidateIdentity method in the CookieMiddleware to look at the
SecurityStamp and reject cookies when it has changed. It also
automatically refreshes the user's claims from the database every
refreshInterval if the stamp is unchanged (which takes care of things
like changing roles etc)
This should get you going.