如何在API请求中提供自定义用户声明

Question

I have a solution consisting of:

• ASP.NET Core 2.1 running IdentityServer4 on top of ASP.NET Identity Core.
• ASP.NET Core 2.1 Web API set to use the IdentityServer as the authentication provider.
• A React SPA web application using oidc-client javascript library.

When I create new users I set some custom claims that are saved in the AspNetUserClaims table which looks like this:

Then, on my API project, inside a controller I want to get those user claims of the authenticated user.
I was expecting this.User.Claims to get me those, but instead that's returning the following, which seem to be claims related to the client app, not the user.

How can I access those custom user claims ( address, location, tenant_role ) from a controller inside the Web API project?
Bare in mind that the API project doesn't have access to the UserManager class or anything ASP.NET Identity Core related.

Answer 1

So, I order for my custom user claim to be available in every API request I had to do the following when setting up the ApiResource on the IdentityServer startup.

//Config.cs
public static IEnumerable<ApiResource> GetApiResources()
{
    ApiResource apiResource = new ApiResource("api1", "DG Analytics Portal API")
    {
        UserClaims =
        {
            JwtClaimTypes.Name,
            JwtClaimTypes.Email,
            AnalyticsConstants.TenantRoleClaim // my custom claim key/name
        }
    };

    return new List<ApiResource>
    {
        apiResource
    };
}

This method is passed to the services.AddInMemoryApiResources (or whatever storage method you're using)

IIdentityServerBuilder builder = services
                .AddIdentityServer(options =>
                {
                    options.Events.RaiseErrorEvents = true;
                    options.Events.RaiseInformationEvents = true;
                    options.Events.RaiseFailureEvents = true;
                    options.Events.RaiseSuccessEvents = true;
                })
                .AddInMemoryIdentityResources(Config.GetIdentityResources())
                .AddInMemoryApiResources(Config.GetApiResources()) // here
                .AddInMemoryClients(Config.GetClients())
                .AddAspNetIdentity<ApplicationUser>();

With that setup, whenever an API endpoint is hit, my custom TenantRole claim is present so I can simply do User.FindFirst(AnalyticsConstants.TenantRoleClaim) to get it.

Answer 2

You'll need to define identity resources and scopes a la:

http://docs.identityserver.io/en/latest/topics/resources.html

And then ensure that they are exposed by your IProfileService or IClaimsService implementation in your identity server:

http://docs.identityserver.io/en/latest/reference/profileservice.html

They claims can either be included in the tokens themselves or be access via the user info endpoint as needed - this is sensible if your claim data is particularly large (ie in the 1000s of characters).

Answer 3

You can use ClaimsPrincipal.FindFirst() to access your customized claims.

Doc: https://docs.microsoft.com/en-us/dotnet/api/system.security.claims.claimsprincipal.findfirst?view=netcore-2.1

Example: User.FindFirst("your_claim_key").Value

Answer 4

I wrote this extender for use in MVC 5 but since it uses the http context and system security (and not the User Manager or Identity) I assume the internals of this will work on MVC6

public static bool UserHasSpecificClaim(this HtmlHelper h, string claimType, string claimValue)
{
    // get user claims
    var user = HttpContext.Current.User as System.Security.Claims.ClaimsPrincipal;

    if (user != null)
    {
        // Get the specific claim if any
        return user.Claims.Any(c => c.Type == claimType && c.Value == claimValue);
    }

    return false;
}