How are we meant to use IUserClaimsPrincipalFactory<T>?
I'm confused by the example in the documentation here that describes how to add claims using IUserClaimsPrincipalFactory.
The sample code shows how to extend the ApplicationUser class:
public class ApplicationUser : IdentityUser
{
public bool IsAdmin { get; set; }
}
...and then implement a UserClaimsPrincipalFactory that tests that property to determine which claims to add:
if (user.IsAdmin)
{
claims.Add(new Claim(JwtClaimTypes.Role, "admin"));
}
else
{
claims.Add(new Claim(JwtClaimTypes.Role, "user"));
}
It's not stated, but I think the implication is that something else (not shown) will set the IsAdmin property for a user in the database. I think they could have made that clear. (Also, it's disappointing that the example uses roles when there's so much confusion around roles versus claims, but I digress...)
Anyway, we have added some "role" claims to the user based on the value of that new IsAdmin property. So far, so good. What I don't understand is the next bit:
The additional claim can then be used in the app. In a Razor Page, the
IAuthorizationServiceinstance can be used to access the claim value.
Sounds like the Razor page is going to access our claim then - but here's the code:
@if ((await AuthorizationService.AuthorizeAsync(User, "IsAdmin")).Succeeded)
{
...
}
Is that really accessing the claim? It looks to me like it's accessing the IsAdmin property of the user instead. I don't see how the claim we added is referenced at all - unless there's something else that's not being explained.
That overload of AuthorizeAsync describes the last parameter as 'policyName'. Are we meant to assume that there's a policy called "IsAdmin" that checks for our new role claim?
What a terrible piece of documentation this is - and I'm ignoring the fact that it's also in the wrong place.
It's not stated, but I think the implication is that something else (not shown) will set the IsAdmin property for a user in the database.
You can set the IsAdmin where you want,For example you can set it when register.Here is a demo:
Input Model in register:
public class InputModel
{
...
public bool IsAdmin { get; set; }
}
Post handler:
public async Task<IActionResult> OnPostAsync(string returnUrl = null)
{
returnUrl ??= Url.Content("~/");
ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
if (ModelState.IsValid)
{
var user = new ApplicationUser { UserName = Input.Email, Email = Input.Email ,IsAdmin=Input.IsAdmin};
var result = await _userManager.CreateAsync(user, Input.Password);
if (result.Succeeded)
{
_logger.LogInformation("User created a new account with password.");
var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
var callbackUrl = Url.Page(
"/Account/ConfirmEmail",
pageHandler: null,
values: new { area = "Identity", userId = user.Id, code = code, returnUrl = returnUrl },
protocol: Request.Scheme);
//await _emailSender.SendEmailAsync(Input.Email, "Confirm your email",
// $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>.");
if (_userManager.Options.SignIn.RequireConfirmedAccount)
{
return RedirectToPage("RegisterConfirmation", new { email = Input.Email, returnUrl = returnUrl });
}
else
{
await _signInManager.SignInAsync(user, isPersistent: false);
return LocalRedirect(returnUrl);
}
}
foreach (var error in result.Errors)
{
ModelState.AddModelError(string.Empty, error.Description);
}
}
// If we got this far, something failed, redisplay form
return Page();
}
Is that really accessing the claim? It looks to me like it's accessing the IsAdmin property of the user instead. I don't see how the claim we added is referenced at all - unless there's something else that's not being explained.
That overload of AuthorizeAsync describes the last parameter as 'policyName'. Are we meant to assume that there's a policy called "IsAdmin" that checks for our new role claim?
IsAdmin is a ploicy name in the code,you need to add a policy which name is IsAdmin,and check new role claim in it.
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddAuthorization(options =>
{
options.AddPolicy("IsAdmin", policy => policy.RequireClaim("role", "admin"));
});
}
result:
- .Net 8: Cannot authenticate user with "Individual Accounts Auth" template
- is it possible to use Identity EF Core as login/signup on a REST API using nextjs?
- Separate DbContext for Identity and business operations with same database - is there any advantages?
- How to add custom claims to User after or before login?
- Angular +.NET Core + Microsoft Identity
- The Specified deps.json Does Not Exist... Even Though It Does
- ASP.NET Core Identity: "Invalid token" when generating and confirming email in different applications
- After upgrade from .NET 8 to .NET 9 EmailConfirmation is not working
- ASP.NET Core 8.0 MVC & Identity : error when mocking, System.NotSupportedException: The default UI requires a user store with email support
- Redirect to login when unauthorized in ASP.NET Core
- Saving custom roles in AspNetUserRoles Identity table from ASP.NET Core 8 Web API
- ASP.NET Core Integration Testing IPasswordHasher<T>.HashPassword Generates Different Hashes
- Asp.net core Identity successful login redirecting back to login page
- Adding custom 404 error page in ASP.NET Core 6 MVC project integrated with Identity
- Why should I define JwtBearerDefaults.AuthenticationScheme for my Authorize attribute always?
- Multiple Identities in ASP.NET Core 2.0
- Where Can I Find Views and codes of Login and register pages Created by Identity
- Using EF Core DbContext and ASP.NET Core Identity's UserManager simultaneously
- Entity Framework Core : Include not working for many-to-many relationship
- What are the schemes and the handlers and how are they related?
- Entity Framework Core migration never completes for identity integration into ASP.NET Core Web API project
- .NET 8 Microsoft Identity saving Access and Refresh tokens to database on user sign in and token refresh
- ASP.NET Core Identity endpoints missing
- System.InvalidOperationException: 'Cannot resolve scoped service. While Attemping to Check if AppRoles in DB
- Not seeing default endpoint profided by .NET Core Identity if I use IdentityRole
- Changing table name of default ASP.NET IdentityUser table not working
- How can I change default AspNetUserLogins table to MyUserLogins table in Blazor web app on .NET 8, Login with individual account?
- "User security stamp cannot be null." error when adding/removing user roles in ASP.NET Core Identity
- When a new access token is generated with a refresh token, ClaimTypes.NameIdentifier returns null
- After Get succeeds, why does first Angular 9 Put request succeed on MVC Core 2.2 API Controller, but fails on next PUT with http err 302 and/or 503?