November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

OIDC - mapping role claims to virtual roles not working

Jørgen Tonvang
Jørgen Tonvang
Vote:
 

We're having a problem with an OIDC-integration on .NET 5/CMS 12 - the integration itself is working fine, a user is sent to the identity provider and redirected back to the CMS as expected. 

However, since this identity provider doesn't provide any roles, we need to have a way to add them to a virtual role ourselves, as identifying with this provider should authorize you to a specific part of the site. 

To do this, we've tried adding a claim in the OnTokenValidated-Event, like so:

                    options.Events.OnTokenValidated = (context) =>
                    {
                        var ident = (ClaimsIdentity)context.Principal.Identity;
                        
                        ident.AddClaim(new Claim(ClaimTypes.Role, "SomeRole"));

                        var redirectUri = new Uri(context.Properties.RedirectUri, UriKind.RelativeOrAbsolute);

                        if (redirectUri.IsAbsoluteUri)
                        {
                            context.Properties.RedirectUri = redirectUri.PathAndQuery;
                        }

                        ServiceLocator.Current.GetInstance<ISynchronizingUserService>().SynchronizeAsync(ident);

                        return Task.FromResult(0);
                    };

This seemingly works, as inspecting the user in any ControllerContext now shows that he has the correct claim. 

However, the virtual role mapping we've set up ignores this claim:

"EpiServer": {
    "Cms": {
      "MappedRoles": {
        "Items": {
          "VirtualRoleTest": {
            "MappedRoles": [ "SomeRole" ],
            "ShouldMatchAll" :  "false"
          }
        }
      }
    }
  }

The user does not have the virtual role (replacing "SomeRole" with "Everyone" works, so the is set up correctly). 

I also tried creating a custom VirtualRole by inheriting VirtualRoleProviderBase, and the IPrincipal argument that gets sent into that does not have any claims other than two role claims for "Everyone" and "Anonymous" - trying to read it from IHttpContextAccessor (in the VirtualRole) yields the same result, no claims there either. 

So, seeing as it works in the context of a controller, but not here - what step am I missing? Grateful for any ideas!

#272283
Feb 16, 2022 13:37
Ynze
Ynze
Vote:
 

It looks like you need to use SupportsClaims to add your claim to the current principle — as described in the documentation here: 

https://world.optimizely.com/documentation/developer-guides/CMS/security/Virtual-roles/

#272634
Edited, Feb 21, 2022 3:46
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.