I'm writing an ASP.Net Core Web Application and using UseOpenIdConnectAuthentication to connect it to IdentityServer3. Emulating their ASP.Net MVC 5 sample I'm trying to transform the claims received back from Identity Server to remove the "low level protocol claims that are certainly not needed." In MVC 5 they add a handler for the SecurityTokenValidated Notification that swaps out the AuthenticationTicket for one with just the required claims.
In ASP.Net Core, to do the equivalent, I thought that I would need to handle the OnTokenValidated in the OpenIdConnectEvents. However, at that stage it doesn't appear that the additional scope information has been retrieved. If I handle the OnUserInformationReceived, the extra information is present, but stored on the User rather than the principal.
None of the other events seem like the obvious place to permanently remove the claims I'm not interested in retaining after authentication has completed. Any suggestions gratefully received!
I like LeastPrivilege's suggestion to transform earlier in the process. The code provided doesn't quite work. This version does:
var oidcOptions = new OpenIdConnectOptions
{
...
Events = new OpenIdConnectEvents
{
OnTicketReceived = e =>
{
e.Principal = TransformClaims(e.Ticket.Principal);
return Task.CompletedTask;
}
}
};
This replaces the Principal rather than the Ticket. You can use the code from my other answer to create the new Principal. You can also replace the Ticket at the same time but I'm not sure it is necessary.
So thank you to LeastPrivilege and Adem for suggesting ways that pretty much answered my question... just the code needed slight adjustments. Overall, I prefer LeastPrivilege's suggestion of transforming claims early.
You can implement OnSigningIn event of SignInScheme. Here is an example:
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "OpenIdCookies",
AutomaticAuthenticate = true,
Events = new CookieAuthenticationEvents()
{
OnSigningIn = async (context) =>
{
ClaimsIdentity identity = (ClaimsIdentity)context.Principal.Identity;
identity.Claims = identity.Claims.Where(...);
}
}
});
var oidcOptions = new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "OpenIdCookies"
};
//.. set other options
app.UseOpenIdConnectAuthentication(oidcOptions);
Thank you Adem for your reply... it solved the vast majority of the problem... the only issue being that identity.Claim is a read only property. I found creating a new Principal did work though:
Events = new CookieAuthenticationEvents()
{
OnSigningIn = (context) =>
{
ClaimsIdentity identity = (ClaimsIdentity)context.Principal.Identity;
var givenName = identity.FindFirst(Constants.ClaimTypes.GivenName);
var familyName = identity.FindFirst(Constants.ClaimTypes.FamilyName);
var sub = identity.FindFirst(Constants.ClaimTypes.Subject);
var claimsToKeep = new List<Claim> {givenName, familyName, sub};
var newIdentity = new ClaimsIdentity(claimsToKeep, identity.AuthenticationType);
context.Principal = new ClaimsPrincipal(newIdentity);
return Task.FromResult(0);
}
}
Whether this is the correct approach I'm not sure, but it appears to work.
I personally prefer to do the claims transformation in the middleware where the actual authentication happens.
You can use the OnTicketReceived event on the OIDC middleware for that.
var oidcOptions = new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "cookies",
Authority = Clients.Constants.BaseAddress,
ClientId = "mvc.hybrid",
ClientSecret = "secret",
ResponseType = "code id_token",
SaveTokens = true,
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
},
Events = new OpenIdConnectEvents
{
OnTicketReceived = e =>
{
ClaimsPrincipal p = TransformClaims(e.Ticket.Principal);
e.Ticket = new AuthenticationTicket(
p,
e.Ticket.Properties,
e.Ticket.AuthenticationScheme);
return Task.CompletedTask;
}
}
};
来源:https://stackoverflow.com/questions/39036852/transforming-open-id-connect-claims-in-asp-net-core