Vulnerability in EPiServer.Forms
This is not necessarily and EpiServer issue but am trying to find a solution to this and was thinking if any of us might have ran in this issue.
My site uses multiple authentication schemes (CookieAuthentication for Web and JwtBearerAuthentication for Content Delivery API). For some reason I have to add custom claims after the token validation is complete and couldn't find a way to do it. This is classic MVC site with framework 4.7.2. I saw something like this can be done in asp.net core but if anyone has ran into such scenarios would like to hear any inputs.
Below is the sample code for token validation.
TokenHandler = new ValidateJwtSecurityTokenHandlerforLogs(_loggingService, _environment),
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = OpenIDConfiguration.Permission,
ValidateAudience = false,
ValidIssuer = authority,
IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
How do clients obtain that JWT token?
If it's from an OAuth or OpenID provider, then you can try using another middleware. One that provides an event hook where you can add your custom claims.
We have our OKTA as our authentication provider. Clients that use our API generate token by calling OKTA (Authority/provider). I receive the token and validate it against the same authority using /.well-known/openid-configuration end point.
However there is a need to create some custom claims after the authentication is complete or upon receiving the token since these custom claims cannot be created at OKTA (for some technical reasons at our end) so the intention is after token is received/validated, I can add new claims and update the identity some how.
Tried browising online but nothing that meets my needs so ended up here even though it is not really an Epi Question.
I have done similar integration several times, although with Azure AD instead Okta.
You can try using Microsoft.AspNet.Authentication.OAuthBearer instead of the more basic JWT middleware.
Then you can add a delegate method to its options parameter. It would be the Notifications.SecurityTokenValidated property. This delegate is only called if the token is valid, and so you can add custom claims to the ClaimsIdentity instance.
Thanks for the inputs. I will do some research on it. Do you have an example that you can share?
Besides my token is created by an external authorizatin server (OKTA) which is our IdentityServer. Not sure if I still can use OAuthBearer as JWTBearerAuthentication seems to be standard as per OpenIdConnect.
If Okta gives you an OAuth token, then you can use the middleware I described. I have done the same with Azure AD, native apps and WebAPI.
Then you are able to manipulate the claims in the SecurityTokenValidated event (something similar to the sample on this documentation page).