Search code examples
c#asp.netasp.net-identityasp.net-roles

How to pull user roles from database when wiring up OAUTH for ASP.NET Identity 2.0?


I'm working on some Web APIs, and have been tasked with adding role based authorization to some of the endpoints using ASP.NET Identity 2.0.

I have created an API based administration structure for managing users and roles, and have hit a sticking point when attempting to implement authorization/authentication using OAUTH Bearer tokens.

(NOTE I read that JWT is better to use and makes supplying user data simpler, but the ask is for vanilla OAUTH)

So as for the code here is what I have so far, including the sticking point:

Startup.cs:

private static void ConfigureOAuthTokenGeneration(IAppBuilder app)
{
    // Configure the db context, user manager and role manager to use a single instance per request
    app.CreatePerOwinContext(ApplicationDbContext.Create);
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create);

    // Create the options for the token authorization
    var oauthAuthorizationServerOptions = new OAuthAuthorizationServerOptions
    {
        AllowInsecureHttp = true,
        TokenEndpointPath = new PathString("/token"),
        AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(1),
        Provider = new SimpleAuthorizationServerProvider()
    };

    // Token Generation
    app.UseOAuthAuthorizationServer(oauthAuthorizationServerOptions);
    app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}

SimpleAuthorizationServerProvider.cs:

public sealed class SimpleAuthorizationServerProvider : OAuthAuthorizationServerProvider
{
    public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
    {
        // We are not validating clients at this point, simply "resource owners" i.e. user / pass combos
        context.Validated();
    }

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        using (var repo = new AuthorizationRepository())
        {
            var user = repo.FindUser(context.UserName, context.Password);

            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");

                return;
            }
        }

        // How do you pull the user data (including roles) from the database here, and place into a claim for API consumption??
    }
}

What I've found online is the following, but this only creates a default role for the user (or list of roles):

var identity = new ClaimsIdentity(context.Options.AuthenticationType);

identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));
identity.AddClaim(new Claim("sub", context.UserName));

context.Validated(identity);

The above code is a problem because it will validate the user, but then assign EVERY user the role of admin in the generated token!

Any help would be appreciated and thank you for your help!


Solution

  • The issue is that you are not setting the claims up from the ApplicationUserManager, which can do a lot of the heavy lifting for you. Further, you're just setting up a generic ClaimsIdentity which, as you already pointed out, will always return the same set of roles for all users.

    In GrantResourceOwnerCredentials(), what you want to do is:

    //
    // Get an instance of the ApplicationUserManager that you've already registered
    // with OWIN
    //
    var mgr = context.OwinContext.GetUserManager<ApplicationUserManager>();
    
    //
    // Have the ApplicationUserManager build your ClaimsIdentity instead
    //
    var identity = await mgr.CreateIdentityAsync(user, 
                                                 context.Options.AuthenticationType);
    
    //
    // Then here, you could add other application-specific claims if you wanted to.