stackoom
  简体   繁体   中英

How to add custom claims to Jwt Token in OpenIdConnect in .Net Core

 原文  2021-04-27 10:14:31       c#/ asp.net/ authentication/ openid-connect/ dotnetopenauth

Question

Just like AzureAD we have our own custom Firm ActiveDirectory which we are connecting from UI as well as API for Authentication in.NetCore using OpenIdConnect (AddOpenIdConnect extension method). In my use case after authentication on UI side, I need additional application specific claims from my custom database which I am adding "OnTokenValidated" - this is needed for hiding or exposing the UI elements based on Roles and Claims.

OnTokenValidated = async ctx =>
            {
                //Get user's immutable object id from claims that came from Azure AD
                string oid = ctx.Principal.FindFirstValue("http://schemas.microsoft.com/identity/claims/objectidentifier");

                //Get EF context
                var db = ctx.HttpContext.RequestServices.GetRequiredService<AuthorizationDbContext>();

                //Check is user a super admin
                bool isSuperAdmin = await db.SuperAdmins.AnyAsync(a => a.ObjectId == oid);
                if (isSuperAdmin)
                {
                    //Add claim if they are
                    var claims = new List<Claim>
                    {
                        new Claim(ClaimTypes.Role, "superadmin")
                    };
                    var appIdentity = new ClaimsIdentity(claims);

                    ctx.Principal.AddIdentity(appIdentity);
                }
            }

Now after token validation on API side again I have to call the custom database to fetch application specific roles. Is it possible to include these roles in JWT token itself so on API side all roles and claims(AD + Custom DB) are present. Or any other way by which I don't have to call CustomDB again in API.

1 answers

solution1
 0  2021-04-27 17:57:41

Adding custom claims to access tokens is a capability of the Authorization Server (AS) and not all of them support this - though they should since it is an important feature. If you can say exactly what provider you are using I may be able to tell you whether it is possible.

These are the factors to think about:

  • Find out if the AS can reach out and get custom claims at the time of token issuance as in this Curity article .

  • Be careful to not return detailed JWTs to internet clients and aim to keep them within your back end instead. Opaque tokens can help with this as in this other Curity article

  • If custom claims are not possible for your provider then you can look them up in your API(s) when an access token is first received and then cache the claims in memory. This leads to more complex API code but is necessary for some providers.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question JWT How to add custom claims and decode claims How to create a JWT token with custom JSON claims in Payload using .Net (C#) in Asp.NET Core WEB API Add custom validation to JWT token for ASP.NET Core? Get JWT claims directly from the token, ASP Net Core 2.1 .Net Core 3.1 Merging JWT and OpenIDConnect Authentication .Net core JWT Custom Expired Token Response Custom JWT token validation in .NET Core 2.2 How to read Claims from JWT Token .NET 4.5 How to check privileges in JWT using Claims in ASP.NET Core? How do I add a custom claim to authentication cookie generated by OpenIdConnect middleware in ASP.Net Core after authentication?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM