November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Update Claims after Authentication

Dileep D
Dileep D
Vote:
 

Hello,

This is not necessarily and EpiServer issue but am trying to find a solution to this and was thinking if any of us might have ran in this issue.

My site uses multiple authentication schemes (CookieAuthentication for Web and JwtBearerAuthentication for Content Delivery API). For some reason I have to add custom claims after the token validation is complete and couldn't find a way to do it. This is classic MVC site with framework 4.7.2. I saw something like this can be done in asp.net core but if anyone has ran into such scenarios would like to hear any inputs.

Below is the sample code for token validation.

        app.UseJwtBearerAuthentication(
            new JwtBearerAuthenticationOptions
            {
                TokenHandler = new ValidateJwtSecurityTokenHandlerforLogs(_loggingService, _environment),
                AuthenticationMode = AuthenticationMode.Active,
                
                TokenValidationParameters = new TokenValidationParameters()
                {
                    NameClaimType = JwtClaimTypes.Name, 
                    RoleClaimType = OpenIDConfiguration.Permission, 
                    ValidateAudience = false, 
                    ValidIssuer = authority,
                    
                    
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
                    {
                        var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
                        return discoveryDocument.SigningKeys;
                    }
                }
                
            });
#226799
Aug 20, 2020 15:22
Stefan Holm Olsen
Stefan Holm Olsen
Vote:
 

Hi Dileep

How do clients obtain that JWT token?

If it's from an OAuth or OpenID provider, then you can try using another middleware. One that provides an event hook where you can add your custom claims.

#226802
Aug 20, 2020 18:16
Dileep D
Dileep D
Vote:
 

Stefan,

We have our OKTA as our authentication provider. Clients that use our API generate token by calling OKTA (Authority/provider). I receive the token and validate it against the same authority using /.well-known/openid-configuration end point.

However there is a need to create some custom claims after the authentication is complete or upon receiving the token since these custom claims cannot be created at OKTA (for some technical reasons at our end) so the intention is after token is received/validated, I can add new claims and update the identity some how.

Tried browising online but nothing that meets my needs so ended up here even though it is not really an Epi Question.

#226805
Aug 20, 2020 19:48
Stefan Holm Olsen
Stefan Holm Olsen
Vote:
 

I have done similar integration several times, although with Azure AD instead Okta.

You can try using Microsoft.AspNet.Authentication.OAuthBearer instead of the more basic JWT middleware.

Then you can add a delegate method to its options parameter. It would be the Notifications.SecurityTokenValidated property. This delegate is only called if the token is valid, and so you can add custom claims to the ClaimsIdentity instance.

#226841
Aug 21, 2020 7:00
Dileep D
Dileep D
Vote:
 

Thanks for the inputs. I will do some research on it. Do you have an example that you can share?

Besides my token is created by an external authorizatin server (OKTA) which is our IdentityServer. Not sure if I still can use OAuthBearer as JWTBearerAuthentication seems to be standard as per OpenIdConnect.


                        

                        #226937
                        
                        

                                Edited, 
                            Aug 24, 2020 1:38
                        

                    


                    

                    


                

            

            

                

                    
                    
                        
                        Stefan Holm Olsen
                    


                    
                    

                        Stefan Holm Olsen
                        

    
            
            
            


                    

                


                

                    

                        


                            
                            Vote:
                            

                                
                                 
                                
                            


                        


                        
                        

                            
If Okta gives you an OAuth token, then you can use the middleware I described. I have done the same with Azure AD, native apps and WebAPI.


Then you are able to manipulate the claims in the SecurityTokenValidated event (something similar to the sample on this documentation page).

                        

                        #226938
                        
                        

                            Aug 24, 2020 5:19
                        

                    


                    

                    


                

            

    






    







        

            
                
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.