How to pull user roles from database when wiring up OAUTH for ASP.NET Identity 2.0?
Question
I'm working on some Web APIs, and have been tasked with adding role based authorization to some of the endpoints using ASP.NET Identity 2.0.
I have created an API based administration structure for managing users and roles, and have hit a sticking point when attempting to implement authorization/authentication using OAUTH Bearer tokens.
(NOTE I read that JWT is better to use and makes supplying user data simpler, but the ask is for vanilla OAUTH)
So as for the code here is what I have so far, including the sticking point:
Startup.cs:
private static void ConfigureOAuthTokenGeneration(IAppBuilder app)
{
// Configure the db context, user manager and role manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);
// Create the options for the token authorization
var oauthAuthorizationServerOptions = new OAuthAuthorizationServerOptions
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(oauthAuthorizationServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
SimpleAuthorizationServerProvider.cs:
public sealed class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
{
// We are not validating clients at this point, simply "resource owners" i.e. user / pass combos
context.Validated();
}
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
using (var repo = new AuthorizationRepository())
{
var user = repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
// How do you pull the user data (including roles) from the database here, and place into a claim for API consumption??
}
}
What I've found online is the following, but this only creates a default role for the user (or list of roles):
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));
identity.AddClaim(new Claim("sub", context.UserName));
context.Validated(identity);
The above code is a problem because it will validate the user, but then assign EVERY user the role of admin in the generated token!
Any help would be appreciated and thank you for your help!
1 answers
solution1
1 ACCPTED 2019-01-15 01:02:22
The issue is that you are not setting the claims up from the ApplicationUserManager , which can do a lot of the heavy lifting for you. Further, you're just setting up a generic ClaimsIdentity which, as you already pointed out, will always return the same set of roles for all users.
In GrantResourceOwnerCredentials() , what you want to do is:
//
// Get an instance of the ApplicationUserManager that you've already registered
// with OWIN
//
var mgr = context.OwinContext.GetUserManager<ApplicationUserManager>();
//
// Have the ApplicationUserManager build your ClaimsIdentity instead
//
var identity = await mgr.CreateIdentityAsync(user,
context.Options.AuthenticationType);
//
// Then here, you could add other application-specific claims if you wanted to.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.