Adding claims to existing identity
During moving one system from classic ASP.NET MVC to ASP.NET Core I faced an interesting challenge. Although access to system is based on Active Directory there is separate role management based on classic membership and roles providers. There are reasons why AD is not used for role management and I cannot change it. ASP.NET Core uses claims-based authentication and I needed to find a way to add role claims to authenticated identity. Here’s the solution.
How things does not work
Adding claims to existing identity seems like small task to accomplish. But, well, it doesn’t go so easy. We can build middleware class and try something like shown here.
foreach(var role in user.Roles)
{
var claim = new Claim(newIdentity.RoleClaimType, role.Name);
identity.AddClaim(claim);
}
But it doesn’t work with existing identity. No errors, code runs smooth but role claims are just ignored.
Using claims transformation
There’s correct way to edit existing identity and it’s called claims transformation. Basically we have to write a custom class that implements IClaimsTransformation interface. Documentation doesn’t give much information about it but most important thing is said – we need to clone given identity.
In short, here’s how the process goes:
- Clone current user identity
- Add custom claims
- Return cloned identity
Here’s my claims transformation that adds roles to user identity. Notice that I can use dependency injection to inject instances of service classes to my claims transformation. Remember important trick – we need a clone of current identity to make things work.
public class AddRolesClaimsTransformation : IClaimsTransformation
{
private readonly IUserService _userService;
public AddRolesClaimsTransformation(IUserService userService)
{
_userService = userService;
}
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
// Clone current identity
var clone = principal.Clone();
var newIdentity = (ClaimsIdentity)clone.Identity;
// Support AD and local accounts
var nameId = principal.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier ||
c.Type == ClaimTypes.Name);
if (nameId == null)
{
return principal;
}
// Get user from database
var user = await _userService.GetByUserName(nameId.Value);
if (user == null)
{
return principal;
}
// Add role claims to cloned identity
foreach(var role in user.Roles)
{
var claim = new Claim(newIdentity.RoleClaimType, role.Name);
newIdentity.AddClaim(claim);
}
return clone;
}
}
The final thing to do is to register claims transformation with dependency injection in ConfigureServices() method of Startup class.
services.AddScoped<IClaimsTransformation, AddRolesClaimsTransformation>();
Considering you have authentication already configured and it works, the registered transform will get to authentication flow.
Wrapping up
Although adding few claims to existing identity seems like piece of cake, it is not so easy. We cannot just add claims to existing identity and hack it. Claims transformation as custom implementation of IClaimsTransformation interface is the tool we need to use to add claims to existing identity. As we saw we don’t modify existing identity but we clone it, add claims and then return the cloned instance.
I am so glad that you wrote this post.
Thank you, thank you, thank you. Been looking for this forever. Does this work with Blazor wasm as well?
I have made no experiments on Blazor yet. I needed this solution just for regular ASP.NET Core application.
When does this run in the request pipeline?
I’ve done this using middleware with great success but this indeed this seems like the standard approach.
does not work, it also returns a 500 but no exception whatsoever, which makes it hard to figure what’s going on
also, what if one need a db injection, to check the user role ?
I find that TransformAsync gets called every time a page is loaded, and the principal does not have any of the claims that I added on the previous page load, which means that I have to add them again. This means I have to call the database every time to get the user information that I use to create the claims.
Is this normal? Is there a way to persist the claims between pages? Using .Net Core 3.1 and Windows auth.
This was a very helpful article. I used this technique with a Blazor server and it’s working great. I noticed when debugging that the transformation is called multiple times during the login process, so the user service gets called multiple times too. It’s not a big deal.
I was thinking that maybe the principal argument to TransformAsync would be the transformed version on the repeated calls but it’s not. The original principle is passed in on each call so I can’t really “mark” it to know I’ve already done the transformation. I will setup the UserService so that caches the data on the first call then the repeated calls to TransformAsync won’t require a database call every time.
Thank you so much for this post
Well I have the same issue as Adrian and Matthew. I’m also doing a call during transformation to get the user. I’m doing this in order to add the correct claims. I would like to persist the claims or persist the result from the user API call.
This is good, but I prefer this approach – https://stackoverflow.com/a/52173219/540156
Taken from the PolicyServer source code.
You add a second identity which can be differentiated by Authtype property of ClaimsIdentity.
Works really nicely and general calls like HasClaim checks both identities.
This was very helpful to me. I’m working on a codebase that used to use a bearer token instead of a cookie and I really didn’t want to change more than I had to. This post gave me a pretty simple way to implement the same Claims modifications that were being done previously, but weren’t available when not modifying the underlying identity information.
Great post!!
Basically main point is to clone principal. It can be done on several places like in claimstransformation, middleware…. I clone it on jwtbearer event OnTokenValidated
Thanks for the post! Does this work with Azure AD B2C?
Thanks for the post, but how can I persist this so I don’t have to call DB all the time to get additional information ?
I would like to set some custom claims when user logs in and persist them until the user logs out ?
Thanks for the informative blog. I have one question when TransformAsync is getting called twice. When making get request also its duplicating the claims.
Working great. This is what I have been looking around.
However as others also asked, every request is making a DB call to get the user roles and and adding the claims. Once a user is authenticated and claims are added, they should be part of the coockie and this routine should not be repeated as long as coockie is not expired.
Could not find help on that yet.
As Prasad suggest this is not ideal. Every request runs this code. It’s worse than the problem I am trying to solve which is to store some additional user information from another table when the user logs in and then clear it when they log out.
Took me 10 hours of research and arguing with Gemini and ChatGPT and finally I find this post.
I think the underlying problem is that the original ClaimsIdentity does not have the RoleType set properly, this is why even though later on you add claims to it with AddClaim(new Claim(ClaimTypes.Role, “SYSADMIN”)), IsInRole (and other facades such as …) don’t know where to check for roles. Microsoft really overcomplicated things here I think.
From ChatGPT: “The issue you’re encountering is likely due to the way the IsInRole method checks for roles. In .NET, the IsInRole method does not directly check the claims of type ClaimTypes.Role. Instead, it relies on the RoleClaimType property of the ClaimsIdentity.”
Of course, identity.RoleClaimType is read-only. So a good solution (for Blazor at least) seems to be what Andrew Reiser suggested above: after retrieving your roles etc. from database, create a copy of the original identity, but make sure to properly set the “roleType” parameter, add your roles to it, and then add it as an additional identity to your ClaimsPrincipal:
var newIdentity = new ClaimsIdentity(originalIdentity.Claims, “MyCustomAuthenticationType”, originalIdentity.NameClaimType, ClaimTypes.Role);
myUser.ClaimsPrincipal.AddIdentity(identity);
Then things like AuthorizeView work fine. I hope this is of help to someone.
Very energetic article, I enjoyed that bit.
Will there be a part 2?
Feel free to visit my web-site :: PFLEGE KASACK
Harbiye su kaçak tespiti Testo termal kamerayla kaçağın olduğu yeri gösterdiler, çok etkileyiciydi. https://fairknowledge.wiki/?p=47010
Alibeyköy su kaçak tespiti İstanbul su kaçağı tespiti: İstanbul’daki su kaçakları için profesyonel ve hızlı çözümler sunuyoruz. https://socialwin.wiki/uskudar-su-kacagi-tespiti/
Your article helped me a lot, is there any more related content? Thanks!
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
I don’t think the title of your enticle matches the content lol. Just kidding, mainly because I had some doubts after reading the enticle.
6mn542
llqq2q
s70xff
ucpq0o
https://www.youtube.com/channel/UCyt2dGrKTf9KpBk1jdUl3oA
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
pemerintah ramadhan
link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
4f3pip
Your blog is like a beacon of light in the vast expanse of the internet. Your thoughtful analysis and insightful commentary never fail to leave a lasting impression. Thank you for all that you do.
Your article helped me a lot, is there any more related content? Thanks!
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink
porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno
grafilink porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno
grafilink porno grafilink porno grafi link
porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno
grafi link porno grafilink porno grafilink porno grafi
link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink
porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi link porno grafilink porno grafilink porno grafi
289bnc
6vw7si
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
chw5v3
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
555
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
mrgbxo
59mjyt
Your article helped me a lot, is there any more related content? Thanks!
I read this paragraph completely concerning the resemblance of hottest and earlier technologies, it’s awesome article.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
Dear gunnarpeipman.com owner, Thanks for the valuable information!
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article. https://www.binance.info/join?ref=P9L9FQKY
6uz7c2
Your article helped me a lot, is there any more related content? Thanks!
ini situs bokep
Hello Neat post Theres an issue together with your site in internet explorer would check this IE still is the marketplace chief and a large element of other folks will leave out your magnificent writing due to this problem
555
555
555
OkqvBuZ5
@@FkudY
situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol situs kontol
Your article helped me a lot, is there any more related content? Thanks!
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.
cerojh
ini situs bokep
ini situs bokep
Thanks for sharing. I read many of your blog posts, cool, your blog is very good.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.