Geek Answers Handbook

Convert Open Id Connect Claims to ASP.Net Core

I am writing an ASP.Net Core web application and using UseOpenIdConnectAuthentication to connect to IdentityServer3. By emulating their ASP.Net MVC 5 sample, I am trying to convert claims received back from Identity Server to remove " low-level protocols that are definitely not needed ." In MVC 5, they add a handler for SecurityTokenValidated Notification, which collapses the AuthenticationTicket for one with only the required claims.

In ASP.Net Core, to make an equivalent, I thought that I would need to handle OnTokenValidated in OpenIdConnectEvents . However, at this stage no additional information about the area appears. If I process OnUserInformationReceived , additional information is present, but stored on the user, and not on the main one.

None of the other events seems like an obvious place for the final removal of claims that are not interesting to me when I save after authentication is completed. Any suggestions gratefully received!

+8
asp.net-core claims-based-identity identityserver3
source share
4 answers

I like the LeastPrivilege suggestion for converting earlier in the process. The code provided does not quite work. This version does:

 var oidcOptions = new OpenIdConnectOptions { ... Events = new OpenIdConnectEvents { OnTicketReceived = e => { e.Principal = TransformClaims(e.Ticket.Principal); return Task.CompletedTask; } } };

This replaces Principal , not Ticket . You can use the code from my other answer to create a new Principal . You can also replace Ticket at the same time, but I'm not sure if this is necessary.

So thanks to LeastPrivilege and Adem for suggesting ways that pretty much answered my question ... only the code needed minor adjustments. In general, I prefer LeastPrivilege's suggestion to convert applications earlier.

+7
source share

Thanks Adem for your answer ... he solved most of the problem ... the only problem is that identity.Claim is a read-only property. I found that creating a new Principal really worked:

 Events = new CookieAuthenticationEvents() { OnSigningIn = (context) => { ClaimsIdentity identity = (ClaimsIdentity)context.Principal.Identity; var givenName = identity.FindFirst(Constants.ClaimTypes.GivenName); var familyName = identity.FindFirst(Constants.ClaimTypes.FamilyName); var sub = identity.FindFirst(Constants.ClaimTypes.Subject); var claimsToKeep = new List<Claim> {givenName, familyName, sub}; var newIdentity = new ClaimsIdentity(claimsToKeep, identity.AuthenticationType); context.Principal = new ClaimsPrincipal(newIdentity); return Task.FromResult(0); } }

Whether this is the right approach, I'm not sure, but it works.

+4
source share

You can implement the OnSigningIn SignInScheme event. Here is an example:

  app.UseCookieAuthentication(new CookieAuthenticationOptions() { AuthenticationScheme = "OpenIdCookies", AutomaticAuthenticate = true, Events = new CookieAuthenticationEvents() { OnSigningIn = async (context) => { ClaimsIdentity identity = (ClaimsIdentity)context.Principal.Identity; identity.Claims = identity.Claims.Where(...); } } }); var oidcOptions = new OpenIdConnectOptions { AuthenticationScheme = "oidc", SignInScheme = "OpenIdCookies" }; //.. set other options app.UseOpenIdConnectAuthentication(oidcOptions);
+3
source share

I personally prefer to convert claims to middleware where the actual authentication takes place.

You can use the OnTicketReceived event for the OIDC middleware for this.

 var oidcOptions = new OpenIdConnectOptions { AuthenticationScheme = "oidc", SignInScheme = "cookies", Authority = Clients.Constants.BaseAddress, ClientId = "mvc.hybrid", ClientSecret = "secret", ResponseType = "code id_token", SaveTokens = true, TokenValidationParameters = new TokenValidationParameters { NameClaimType = JwtClaimTypes.Name, RoleClaimType = JwtClaimTypes.Role, }, Events = new OpenIdConnectEvents { OnTicketReceived = e => { ClaimsPrincipal p = TransformClaims(e.Ticket.Principal); e.Ticket = new AuthenticationTicket( p, e.Ticket.Properties, e.Ticket.AuthenticationScheme); return Task.CompletedTask; } } };
+2
source share

More articles:


All Articles