Okay first I just want to say what I'm trying to do has turned out to be a real PITA. The issue I'm having is similar to the following posts:
ASP.NET Identity check user roles is not working
Updating user role using asp.net identity
public async Task<ActionResult> MyAccount()
{
var userId = User.Identity.GetUserId();
var user = await UserManager.FindByIdAsync(userId);
if (!User.IsInRole(RoleConst.EXPIRED))
{
await UserManager.AddToRoleAsync(userId, RoleConst.EXPIRED);
await SignInAsync(user, false);
}
var isExpired = User.IsInRole(RoleConst.EXPIRED); // FALSE!!
return View(model);
}
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
var authenticationManager = HttpContext.GetOwinContext().Authentication;
authenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie, DefaultAuthenticationTypes.TwoFactorCookie);
authenticationManager.SignIn(new AuthenticationProperties { IsPersistent = isPersistent }, await user.GenerateUserIdentityAsync(UserManager));
}
The role does not update even after using the sign in method to refresh the cookie as some other users have suggested. Of course the role is updated in the db.
This code works when checking the role after updating:
var isExpired = UserManager.IsInRole(userId, RoleConst.EXPIRED);
I would be fine with that I guess, however, I need to do this check immediately after in my razor Views. I haven't found how I can use the UserManger outside of the controller. Any suggestions to this seemingly simple task would be appreciated!
EDIT
I've also tried the following which yields the same result:
await UserManager.AddToRoleAsync(user.Id, RoleConst.EXPIRED);
await UserManager.UpdateSecurityStampAsync(user.Id);
var isExpired = User.IsInRole(RoleConst.EXPIRED); // FALSE
It will work once you Sign out and signing in again (which is not a user-friendly option)
So try this (reordered these lines),
await this.UserManager.AddToRoleAsync(user.Id, model.UserRole);
await SignInManager.SignInAsync(user, isPersistent:false, rememberBrowser:false);
So that the cookies get stored only after the user role gets added. :)
One person in the linked questions suggested signing out and signing in again, which you aren't even doing: just signing in. However, in one of the comments you can find a link to the answer you need. Long and short you need to call:
UserManager.UpdateSecurityStampAsync(userId);
After changing the user's roles.
Related
I'm trying to create an external login scheme for facebook, google and linkedin without using identity framework. I have an api that stores all users and do some authentication stuffs. Right now I'm kind of lost on how to get the information from the external login.
I'm issuing a challenge like this.
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult ExternalLogin(string provider)
{
//Issue a challenge to external login middleware to trigger sign in process
return new ChallengeResult(provider);
}
This works well, it redirects me to either google, facebook or linkedinn authentication.
Now on this part:
public async Task<IActionResult> ExternalLoginCallback()
{
//Extract info from externa; login
return Redirect("/");
}
All I want is to get the information that was provided by the external login.
I have tried what I found from my research,
var result = await HttpContext.AuthenticateAsync(provider);
if (result?.Succeeded != true)
{
return Redirect("/");
}
var externalUser = result.Principal;
var claims = externalUser.Claims.ToList();
First of all I I'm not sure if a simple ?provider=Google on my callback string will pass the provider name I specify so it can be used to check the sign in scheme. I guess this is incorrect. Secondly, I tried hard coding await HttpContext.AuthenticateAsync("Google") and when it reach this code, the debug stops. I'm not sure why.
I've seen the generated code when creating a project with single authentication.
var info = await _signInManager.GetExternalLoginInfoAsync();
Sadly, I'm won't be able to use identity since I don't have a user store and my application will be consuming an API.
First you need to create a custom cookie handler. I myself had problems with:
No IAuthenticationSignInHandler is configured to handle sign in for
the scheme: Bearer
I had to add a cookie handler that will temporarily store the outcome of the external authentication, e.g. the claims that got sent by the external provider. This is necessary, since there are typically a couple of redirects involved until you are done with the external authentication process.
Startup
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(o =>
{
o.TokenValidationParameters = tokenValidationParameters;
})
.AddCookie("YourCustomScheme")
.AddGoogle(googleOptions =>
{
googleOptions.SignInScheme = "YourCustomScheme";
googleOptions.ClientId = "x";//Configuration["Authentication:Google:ClientId"];
googleOptions.ClientSecret = "x";//Configuration["Authentication:Google:ClientSecret"];
//googleOptions.CallbackPath = "/api/authentication/externalauthentication/signin-google";
});
The important part here is "YourCustomScheme".
Now it's time to retrieve the user information from the claims provided by the external authentication in the callback action.
Controller
[AllowAnonymous]
[HttpPost(nameof(ExternalLogin))]
public IActionResult ExternalLogin(ExternalLoginModel model)
{
if (model == null || !ModelState.IsValid)
{
return null;
}
var properties = new AuthenticationProperties { RedirectUri = _authenticationAppSettings.External.RedirectUri };
return Challenge(properties, model.Provider);
}
[AllowAnonymous]
[HttpGet(nameof(ExternalLoginCallback))]
public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null, string remoteError = null)
{
//Here we can retrieve the claims
var result = await HttpContext.AuthenticateAsync("YourCustomScheme");
return null;
}
VoilĂ ! We now have some user information to work with!
Helpful link
http://docs.identityserver.io/en/release/topics/signin_external_providers.html
I too had this issue and see if the below code works for you.
I wanted to extract the full name after Google/FB authentication.
var info = await _signInManager.GetExternalLoginInfoAsync();
TempData["fullname"] = info.Principal.FindFirstValue(ClaimTypes.Name);
Very hard to understand how to use Oauth or OWIN for anything besides logging in. I have created an MVC web app. I can have users log into my app using their Yahoo ID (instead of a local ID) just fine. This is done using Owin.Security.Providers.Yahoo
I can also make API calls using DevDefinedOauth, here is a code snippet:
public ActionResult Test2(string oauth_token, string oauth_verifier)
{
if(String.IsNullOrEmpty(oauth_token))
{
oauthButton_Click();
}
else
{
OAuthSession session = (OAuthSession)Session["oAuthSession"];
IToken requestToken = (IToken)Session["oAuthToken"];
if (!String.IsNullOrEmpty(oauth_verifier))
{
IToken accessToken = session.ExchangeRequestTokenForAccessToken(requestToken, oauth_verifier);
Session["oAuthSession"] = session;
}
}
IConsumerRequest playerData = ((OAuthSession)Session["oAuthSession"]).Request().Get().ForUrl("http://fantasysports.yahooapis.com/fantasy/v2/game/371/players");
var xml = playerData.ToDocument();
My problem is I want to eliminate the use of DevDefinedOauth (if possible) and use only Owin.Security.Providers.Yahoo
I cannot find any documentation out there on how to use Owin to do this. Is it possible? I noticed I can try something like this, but it yields no results:
var token = new Owin.Security.Providers.Yahoo.Messages.AccessToken();
string test = token.Token;
I read a post on how to get the access token if you use facebook and Oauth, but the same code doesn't work for Yahoo. I am not sure if there is something that needs to be added to my Startup Class, or my Account controller action (below).
[AllowAnonymous]
public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
{
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
if (loginInfo == null)
{
return RedirectToAction("Login");
}
// Sign in the user with this external login provider if the user already has a login
var user = await UserManager.FindAsync(loginInfo.Login);
if (user != null)
{
await SignInAsync(user, isPersistent: false);
//var client = new Owin.Security.Providers.Yahoo.
return RedirectToLocal(returnUrl);
}
else
{
// If the user does not have an account, then prompt the user to create an account
ViewBag.ReturnUrl = returnUrl;
ViewBag.LoginProvider = loginInfo.Login.LoginProvider;
return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { UserName = loginInfo.DefaultUserName });
}
}
As you can see, if you look at my other posts, I am a little lost. I feel like I'm very close to the answer but just can't find it. Woirst case scenario I can use Owin Providers for logging in and then use DevDefinedOauth for API calls but it seems like a lot fo extra code (and usings) for nothing. If anyone has any ideas please let me know....
I am getting a NullReferenceException when I try to access the User data after a successful login. The inquiry here is about when the user data is actually available to be queried against in the sign in process. Here is the code that I have placed into the Login method of the Account controller:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}
// This doesn't count login failures towards account lockout
// To enable password failures to trigger account lockout, change to shouldLockout: true
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
switch (result)
{
case SignInStatus.Success:
var sh = new SoapHelper();
var user = UserManager.FindById(User.Identity.GetUserId());
Session["UserExists"] = true;
Session["StartDate"] = DateTime.Now.ToString("yyyyMMdd");
Session["EndDate"] = DateTime.Now.ToString("yyyyMMdd");
Session["UserCompany"] = user.CompanyID;
The final line of code is where the error is thrown, am I not able to access the UserManager to get the data I need from the User table at this time in the login process?
Any help will be greatly appreciated!
Do you mean to say that user object is empty ?
var user = UserManager.FindById(User.Identity.GetUserId());
Please can you post the exception here so we can provide more details regarding this.
Also is there CompanyId column in users table in entity framework?
After some more research and testing I found that the reason why you can't use User.Identity.Name in the same call with SignInManager.PasswordSignInAsync is that User.Identity filled out with the claims from authentication cookie (which are not parsed yet).
So I tried a second call with an await to the UserManager
var user = await UserManager.FindAsync(model.Email, model.Password);
and it worked like a charm.
I am using asp.net Identity in my project. In VerifyPhoneNumber view, when user confirm his phone number, he is logged out (.AspNetApplicationCookie is removed. I checked this from Resource tab inspect chrome).
Code of VerifyPhoneNumber action in ManageController:
if (!ModelState.IsValid)
{
return View(model);
}
string phoneNumber = UserManager.GetPhoneNumber(User.Identity.GetUserId());
var result = await UserManager.ChangePhoneNumberAsync(User.Identity.GetUserId(), phoneNumber, model.Code);
if (result.Succeeded)
{
var user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
if (user != null)
{
await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);
}
ViewBag.Message = "Complete";
return View();
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "something wrong!");
return View(model);
Why this happens?
Update
I have set validateInterval for SecurityStampValidator to 0.
The ChangePhoneNumberAsync has this line:
await UpdateSecurityStampInternal(user).WithCurrentCulture();
Which causes the cookie expiration or re-validation.
If you don't want it, you have to inherit from the UserManager<TUser> class (create your CustomUserManager class) and then override the ChangePhoneNumberAsync method. Just use the same code without the UpdateSecurityStampInternal line.
Changing any security related information on the user (i.e password/phone number/email) automatically causes the cookie to expire by default (via the security stamp for the user getting flipped)
I am using ASP.NET MVC 5.1 with Owin and Claims authentication.
After the user changes its email I need to update the users claims, so I tried in the controller:
ClaimsIdentity identity = (ClaimsIdentity)User.Identity;
Claim claim = identity.FindFirst(ClaimTypes.Email);
identity.RemoveClaim(claim);
identity.AddClaim(new Claim(ClaimTypes.Email, newEmail));
IOwinContext context = new OwinContext();
context.Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
context.Authentication.SignIn(identity);
The Claim is changed but when I refresh the page the email claims is the original again ...
It seems the cookie is not being updated. Any idea what I am doing wrong?
And is it possible to get the value of "IsPersistent" from the identity so when I sign it again I will have the same value?
Thank You,
Miguel
I had this same problem, so just wanted to summarise my findings here. As Chris says, the basis of the answer is indeed here: How to change authentication cookies after changing UserName of current user with asp.net identity but I found that thread a bit hard to follow, and that question isn't really a direct duplicate.
To begin, get the AuthenticationManager from the current OWIN context. Once you have that, you can get the value of "isPersistent" (and other properties from the original SignIn call), by calling the AuthenticateAsync method. Then to update the claims of the current user identity you just need to replace the value of the AuthenticationResponseGrant property like this:
var identity = (ClaimsIdentity)User.Identity;
// Call AddClaim, AddClaims or RemoveClaim on the user identity.
IOwinContext context = Request.GetOwinContext();
var authenticationContext =
await context.Authentication.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie);
if (authenticationContext != null)
{
authenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant(
identity,
authenticationContext.Properties);
}
It is the final setting of the AuthenticationResponseGrant property that actually updates the cookie.
Hope this helps other readers.
SORRY, this is an ASP.NET CORE solution
I also challenged the problem with claims, but the answer was easy to find.
To refresh your cookie, you can rely on the RefreshSignInAsync() function of the SignInManager;
private readonly UserManager<ApplicationUser> _userManager;
private readonly ApplicationDbContext _context;
private readonly SignInManager<ApplicationUser> _signInManager;
public ApiClubController(UserManager<ApplicationUser> userManager, SignInManager<ApplicationUser> signInManager, ApplicationDbContext context)
{
_userManager = userManager;
_context = context;
_signInManager = signInManager;
}
Inside your function:
//GET CURRENT USER
var usr = await GetCurrentUserAsync();
//OLD CLAIM
var myClaims = await _userManager.GetClaimsAsync(usr);
var oldClaim = myClaims.Where(o => o.Type.Equals("Club")).FirstOrDefault();
if (oldClaim != null)
{
await _userManager.RemoveClaimAsync(usr, oldClaim);
}
//CREATE CLUB CLAIM
var clubClaim = new Claim("Club", "" + id);
await _userManager.AddClaimAsync(usr, clubClaim);
//RESET USER COOKIE
await _signInManager.RefreshSignInAsync(usr);
//RETURN
return Ok(company);;
NOTE:
I'm using an API here, because I'm mixing up a lot with angular.
If you update your identity with your API, you need to refresh your page in order to view things based on your claim
This works for me. Not sure if it is the best way but the updated claim is in the DB and in subsequent controllers.
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
var c = identity.Claims.FirstOrDefault(r => r.Type == "tId");
await UserManager.RemoveClaimAsync(user.Id, c);
await UserManager.AddClaimAsync(user.Id, new Claim("tId", "9032C945-DC5C-4FC9-BE7C-8EDC83A72E58"));
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties { IsPersistent = isPersistent }, identity);