Home / Questions / 325249
Accepted
Edwin Romero
Asked: 2020-01-30 02:55:27 +0800 CST 2020-01-30 02:55:27 +0800 CST

Using Claims in asp core 3 for custom security

  • 772

Hi everyone, I'm a novice with asp core 3 and I'm developing a system from scratch, the system has custom security for issues that I won't go into detail about, what happens is that I want to use Claims but I'm stuck and I can't find anything in the network on how to use claims, I have this: To put them in context this is the custom security database schema

enter image description here

To assign the users I want to use Claims and this is what I have first in the startup.cs in the configure services section

       #region Implementacion de Claims

       services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
               .AddCookie();
       services.Configure<CookiePolicyOptions>(opt =>
       {
            opt.MinimumSameSitePolicy = SameSiteMode.None;
       });
       #endregion

and in the always configure section in the startup.cs I have this:

       app.UseAuthentication();
       app.UseAuthorization();
       app.UseCookiePolicy();

       app.UseEndpoints(endpoints =>
       {
            endpoints.MapControllerRoute(
             name: "default",
             pattern: "{controller=Home}/{action=Index}/{id?}");
            endpoints.MapRazorPages();
       });

in the controller I have this:

[HttpPost]
          [ValidateAntiForgeryToken]
          public async Task<ActionResult> Login(UsuarioModel Entidad)
          {
               var eData = await _iUser.ObtenerPorEmail(Entidad.email);

               //Si no encuentra el correo no esta registrado el user
               if (eData == null)
               {
                    TempData["Titulo"] = "Error";
                    TempData["Mensaje"] = "El usuario con que intenta conectar no existe, pongase en contacto con el admnistrador del sistema";
                    return RedirectToAction("Mensaje", "Home");
               }
               //Si llega hasta aquí y es primera vez permite generar el password
               if (eData.firsttime)
               {
                    return RedirectToAction("SavePassword", eData);
               }
               else
               {
                    //Si no es primera vez verifica si es correcto el pass y se conecta
                    if (eData.ComparePass(Entidad.passmain, eData.salt, eData.password))
                    {
                         //Aqui codigo de claims
                         return RedirectToAction("Index", "Home");
                    }

                    TempData["Titulo"] = "Error";
                    TempData["Mensaje"] = "El password esta equivocado";
                    return RedirectToAction("Mensaje", "Home");
               }

          }

Well I've reached the point where I have to implement the claims but I don't know how: 1) Create the claims with the data at that moment? 2) How do I reuse the claim to validate if I connected? 3) How can I get the claims to reuse it and disable it in the options menu? 4) How do I destroy them when I close the session?

I know there are a lot of questions :(, but if someone has a place where I can see a clear example and can read more about this I would appreciate it or if you can put an example it would be great, thanks in advance to the community.

asp.net-core

1 Answers

  1. Best Answer

    (update) works perfectly in 3.1 or higher I've tried it with 5.x too Ok. I am going to auto-respond because I have found the solution by reading and by trial and error. I want to share it with the community in case someone needs information. This works in ASP CORE 3.X and of course I know that there may be better ways, so always if you know of a better one, I invite you to post it to learn more

    First configure startup.cs section ConfigureServices

           #region Implementacion de Claims

       services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
               .AddCookie();
       services.Configure<CookiePolicyOptions>(opt =>
       {
            opt.MinimumSameSitePolicy = SameSiteMode.None;
       });
       #endregion

    It is important to say that this is a minimum security configuration, that is why I use the option opt.MinimumSameSitePolicy = SameSiteMode.None; but you can read more and make your claims more secure

    Very well. let's always continue in startup.cs Configure section

           app.UseAuthentication();
       app.UseAuthorization();
       app.UseCookiePolicy();

    Add these options if they are not.

    That is so that the claims work for us

    we will answer the questions

    1. How to create the claims with the data? Well assuming that we are already logged in and we have the necessary data to create the claims, let's remember that these are cookies that can be kept on the client's computer

    First thing I need these usign in the controller

    using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;

    Then we can create the claims

                     var ClaimList = new List<Claim>();
                 ClaimList.Add(new Claim(ClaimTypes.Name, eData.nombre + " " + eData.apellido));
                 ClaimList.Add(new Claim(ClaimTypes.Role, eRol.rolname));
                 ClaimList.Add(new Claim(ClaimTypes.Email, eData.email));
                 ClaimList.Add(new Claim("userid", eData.userID.ToString()));

    as you can see very simple a list of claims and then add there are "ClaimTypes" these are predefined in case you use identity you can use it without identity as I have done but you can also define your own "userid", "Name", "shit" what you want :D "eData" is a class of mine that brings the log data.

    After creating the necessary Claims we must create the identity using the list of claims created above, so that we can use them later this is very easy

    var claimsIdentity = new ClaimsIdentity(ClaimList, CookieAuthenticationDefaults.AuthenticationScheme);

    Well, the only thing left to do is log in, in case I have told you that if I don't disconnect, these claims only last 8 hours.

                     await HttpContext.SignInAsync(
                                               CookieAuthenticationDefaults.AuthenticationScheme,
                                               new ClaimsPrincipal(claimsIdentity),
                                               new AuthenticationProperties
                                               {
                                                    IsPersistent = true,
                                                    ExpiresUtc = DateTime.UtcNow.AddHours(8)
                                               });

    1. How do I reuse the claim to validate if I connected? That is to say, how do I know that it is connected and the claims exist, very easy, we only look for a claim that I created, for example "ClaimTypes.Name" there, save the name of the user

          ClaimsPrincipal principal = HttpContext.User as ClaimsPrincipal;
    var data = principal.FindFirst(ClaimTypes.Name);

    if data is null if (data != null) then there are no claims if it is not null because the user is connected.

    1. How can I get the claims to reuse it and disable it in the options menu? Well, as you could see in the answer to question two, it's simple because I looked for the claims to see if they existed. But this is in the controller, it's the way to do it but let's say we need it in the view to disable html or in the _layout.html

    the first thing is to use the following using

    @using System.Threading;
@using System.Security.Claims;

    then we can do the following

    </head>
<body>
    @{


        int conectado;
        string nombreuser = "";
        string nombrerol = "";
        //seguridad modulos
        string pro = "";
        string prd = "";
        string fac = "";
        string inv = "";
        string pre = "";
        string ped = "";
        string rep = "";
        string seg = "";


        var userconn = ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.Name);

        if (userconn != null)
        {
            conectado = 1;
            nombreuser = ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.Name).Value;
            nombrerol = ((ClaimsIdentity)User.Identity).FindFirst(ClaimTypes.Role).Value;
            pro = ((ClaimsIdentity)User.Identity).FindFirst("Proveedores").Value;
            prd = ((ClaimsIdentity)User.Identity).FindFirst("Producción").Value;
            fac = ((ClaimsIdentity)User.Identity).FindFirst("Facturación").Value;
            inv = ((ClaimsIdentity)User.Identity).FindFirst("Inventarios").Value;
            pre = ((ClaimsIdentity)User.Identity).FindFirst("Presupuestos").Value;
            ped = ((ClaimsIdentity)User.Identity).FindFirst("Pedidos").Value;
            rep = ((ClaimsIdentity)User.Identity).FindFirst("Reportes").Value;
            seg = ((ClaimsIdentity)User.Identity).FindFirst("Seguridad").Value;

        }
        else
            conectado = 0;

    and these variables we can use as we want in the views or razor pages

    and the final question.

    1. How do I destroy them when I log out? this in controller

      await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

    In this way I destroy them even though the time I defined for the existence of the claims has not ended.

    well and that's it I hope it helps someone greetings

    • 3