How to update a claim in ASP NET Identity

Question

I m using OWIN authentication for my MVC5 project  This is my SignInAsync   private async Task SignInAsync ApplicationUser user  bool isPersistent                        var AccountNo    101               AuthenticationManager SignOut DefaultAuthenticationTypes ExternalCookie               var identity   await UserManager CreateIdentityAsync user  DefaultAuthenticationTypes ApplicationCookie               identity AddClaim new Claim ClaimTypes UserData  AccountNo                AuthenticationManager SignIn new AuthenticationProperties     IsPersistent   isPersistent  RedirectUri  Account Index    identity               As you can see  i added AccountNo into the Claims list   Now   how can I update this Claim at some point in my application  So far  i have this    public string AccountNo                        get                               var CP   ClaimsPrincipal Current Identities First                    var Account  CP Claims FirstOrDefault p   gt  p Type    ClaimTypes UserData                   return Account Value                            set                               var CP   ClaimsPrincipal Current Identities First                    var AccountNo  CP Claims FirstOrDefault p   gt  p Type    ClaimTypes UserData  Value                  CP RemoveClaim new Claim ClaimTypes UserData AccountNo                    CP AddClaim new Claim ClaimTypes UserData  value                               when i try to remove the claim  I get this exception       The Claim    http   schemas microsoft com ws 2008 06 identity claims userdata    101  was not able to be removed   It is either not part of this   Identity or it is a claim that is owned by the Principal that contains   this Identity  For example  the Principal will own the claim when   creating a GenericPrincipal with roles  The roles will be exposed   through the Identity that is passed in the constructor  but not   actually owned by the Identity   Similar logic exists for a   RolePrincipal    Could someone help me figure out how to update the Claim

User · Answer

I am using a  net core 2 2 app and used the following solution  in my statup cs public void ConfigureServices IServiceCollection services                                   services AddIdentity lt IdentityUser  IdentityRole gt  options   gt                                                                           AddEntityFrameworkStores lt AdminDbContext gt                    AddDefaultTokenProviders                   AddSignInManager      usage   private readonly SignInManager lt IdentityUser gt   signInManager            public YourController                                           SignInManager lt IdentityUser gt  signInManager                                        signInManager   signInManager              public async Task lt IActionResult gt  YourMethod       lt -NOTE IT IS ASYNC                           var user    userManager FindByNameAsync User Identity Name  Result                  var claimToUse   ClaimsHelpers CreateClaim ClaimTypes ActiveCompany  JsonConvert SerializeObject cc                    var claimToRemove    userManager GetClaimsAsync user  Result                      FirstOrDefault x   gt  x Type    ClaimTypes ActiveCompany ToString                     if  claimToRemove    null                                        var result    userManager ReplaceClaimAsync user  claimToRemove  claimToUse  Result                      await  signInManager RefreshSignInAsync user      lt --- THIS                                   else

User · Answer

Compiled some answers from here into re-usable ClaimsManager class with my additions    Claims got persisted  user cookie updated  sign in refreshed    Please note that ApplicationUser can be substituted with IdentityUser if you didn t customize former  Also in my case it needs to have slightly different logic in Development environment  so you might want to remove IWebHostEnvironment dependency   using System  using System Collections Generic  using System Linq  using System Security Claims  using System Threading Tasks  using YourMvcCoreProject Models  using Microsoft AspNetCore Hosting  using Microsoft AspNetCore Identity  using Microsoft Extensions Hosting   namespace YourMvcCoreProject Identity       public class ClaimsManager               private readonly UserManager lt ApplicationUser gt   userManager          private readonly SignInManager lt ApplicationUser gt   signInManager          private readonly IWebHostEnvironment  env          private readonly ClaimsPrincipalAccessor  currentPrincipalAccessor           public ClaimsManager              ClaimsPrincipalAccessor currentPrincipalAccessor              UserManager lt ApplicationUser gt  userManager              SignInManager lt ApplicationUser gt  signInManager              IWebHostEnvironment env                         currentPrincipalAccessor   currentPrincipalAccessor               userManager   userManager               signInManager   signInManager               env   env                          lt param name  refreshSignin  gt Sometimes  e g  when adding multiple claims at once  it is desirable to refresh cookie only once  for the last one  lt  param gt          public async Task AddUpdateClaim string claimType  string claimValue  bool refreshSignin   true                        await AddClaim                   currentPrincipalAccessor ClaimsPrincipal                  claimType                  claimValue                   async user   gt                                        await RemoveClaim  currentPrincipalAccessor ClaimsPrincipal  user  claimType                                      refreshSignin                      public async Task AddClaim string claimType  string claimValue  bool refreshSignin   true                        await AddClaim  currentPrincipalAccessor ClaimsPrincipal  claimType  claimValue  refreshSignin                           lt summary gt              At certain stages of user auth there is no user yet in context but there is one to work with in client code  e g  calling from ClaimsTransformer              that s why we have principal as param              lt  summary gt          public async Task AddClaim ClaimsPrincipal principal  string claimType  string claimValue  bool refreshSignin   true                        await AddClaim                  principal                  claimType                  claimValue                   async user   gt                                           allow reassignment in dev                     if   env IsDevelopment                             await RemoveClaim principal  user  claimType                        if  GetClaim principal  claimType     null                          throw new ClaimCantBeReassignedException claimType                                                      refreshSignin                      public async Task RemoveClaims IEnumerable lt string gt  claimTypes  bool refreshSignin   true                        await RemoveClaims  currentPrincipalAccessor ClaimsPrincipal  claimTypes  refreshSignin                      public async Task RemoveClaims ClaimsPrincipal principal  IEnumerable lt string gt  claimTypes  bool refreshSignin   true                        AssertAuthenticated principal               foreach  var claimType in claimTypes                                await RemoveClaim principal  claimType                                reflect the change in the Identity cookie             if  refreshSignin                  await  signInManager RefreshSignInAsync await  userManager GetUserAsync principal                       public async Task RemoveClaim string claimType  bool refreshSignin   true                        await RemoveClaim  currentPrincipalAccessor ClaimsPrincipal  claimType  refreshSignin                      public async Task RemoveClaim ClaimsPrincipal principal  string claimType  bool refreshSignin   true                        AssertAuthenticated principal               var user   await  userManager GetUserAsync principal               await RemoveClaim principal  user  claimType                  reflect the change in the Identity cookie             if  refreshSignin                  await  signInManager RefreshSignInAsync user                      private async Task AddClaim ClaimsPrincipal principal  string claimType  string claimValue  Func lt ApplicationUser  Task gt  processExistingClaims  bool refreshSignin                        AssertAuthenticated principal               var user   await  userManager GetUserAsync principal               await processExistingClaims user               var claim   new Claim claimType  claimValue               ClaimsIdentity principal  AddClaim claim               await  userManager AddClaimAsync user  claim                  reflect the change in the Identity cookie             if  refreshSignin                  await  signInManager RefreshSignInAsync user                           lt summary gt              Due to bugs or as result of debug it can be more than one identity of the same type              The method removes all the claims of a given type               lt  summary gt          private async Task RemoveClaim ClaimsPrincipal principal  ApplicationUser user  string claimType                        AssertAuthenticated principal               var identity   ClaimsIdentity principal               var claims   identity FindAll claimType  ToArray                if  claims Length  gt  0                                await  userManager RemoveClaimsAsync user  claims                   foreach  var c in claims                                        identity RemoveClaim c                                                      private static Claim GetClaim ClaimsPrincipal principal  string claimType                        return ClaimsIdentity principal  FindFirst claimType                                   lt summary gt              This kind of bugs has to be found during testing phase              lt  summary gt          private static void AssertAuthenticated ClaimsPrincipal principal                        if   principal Identity IsAuthenticated                  throw new InvalidOperationException  User should be authenticated in order to update claims                       private static ClaimsIdentity ClaimsIdentity ClaimsPrincipal principal                        return  ClaimsIdentity  principal Identity                        public class ClaimCantBeReassignedException   Exception               public ClaimCantBeReassignedException string claimType    base    claimType  can not be reassigned                              public class ClaimsPrincipalAccessor       private readonly IHttpContextAccessor  httpContextAccessor       public ClaimsPrincipalAccessor IHttpContextAccessor httpContextAccessor                 httpContextAccessor   httpContextAccessor             public ClaimsPrincipal ClaimsPrincipal   gt   httpContextAccessor HttpContext User        to register dependency put this into your Startup cs and inject ClaimsManager into Controller constructor  or other class  the in same way as you do for other dependencies     public class Startup       public IServiceProvider ConfigureServices IServiceCollection services                services AddTransient lt ClaimsPrincipalAccessor gt             services AddTransient lt ClaimsManager gt

User · Answer

Multiple Cookies Multiple Claims   public class ClaimsCookie               private readonly ClaimsPrincipal  user          private readonly HttpContext  httpContext          public ClaimsCookie ClaimsPrincipal user  HttpContext httpContext   null                         user   user               httpContext   httpContext                     public string GetValue CookieName cookieName  KeyName keyName                        var principal    user as ClaimsPrincipal              var cp   principal Identities First i   gt  i AuthenticationType      CookieName cookieName  ToString                 return cp FindFirst   KeyName keyName  ToString    Value                    public async void SetValue CookieName cookieName  KeyName   keyName  string   value                        if  keyName Length    value Length                                return                            var principal    user as ClaimsPrincipal              var cp   principal Identities First i   gt  i AuthenticationType      CookieName cookieName  ToString                 for  int i   0  i  lt  keyName Length  i                                  if  cp FindFirst   KeyName keyName i   ToString       null                                        cp RemoveClaim cp FindFirst   KeyName keyName i   ToString                          cp AddClaim new Claim   KeyName keyName i   ToString    value i                                                  await  httpContext SignOutAsync CookieName UserProfilCookie ToString                 await  httpContext SignInAsync CookieName UserProfilCookie ToString    new ClaimsPrincipal cp                   new AuthenticationProperties                                       IsPersistent   bool Parse cp FindFirst KeyName IsPersistent ToString    Value                       AllowRefresh   true                                       public enum CookieName                       CompanyUserProfilCookie   0  UserProfilCookie   1  AdminPanelCookie   2                   public enum KeyName                       Id  Name  Surname  Image  IsPersistent

User · Answer

Another  async  approach  using Identity s UserManager and SigninManager to reflect the change in the Identity cookie  and to optionally remove claims from db table AspNetUserClaims       Get User and a claims-based identity ApplicationUser user   await UserManager FindByIdAsync User Identity GetUserId     var Identity   new ClaimsIdentity User Identity       Remove existing claim and replace with a new value await UserManager RemoveClaimAsync user Id  Identity FindFirst  AccountNo     await UserManager AddClaimAsync user Id  new Claim  AccountNo   value        Re-Signin User to reflect the change in the Identity cookie await SignInManager SignInAsync user  isPersistent  false  rememberBrowser  false        optional  remove claims from claims table dbo AspNetUserClaims  if not needed var userClaims   UserManager GetClaims user Id   if  userClaims Any        foreach  var item in userClaims          UserManager RemoveClaim user Id  item

User · Answer

I get that exception too and cleared things up like this  var identity   User Identity as ClaimsIdentity  var newIdentity   new ClaimsIdentity identity AuthenticationType  identity NameClaimType  identity RoleClaimType   newIdentity AddClaims identity Claims Where c   gt  false     c Type    claim Type  amp  amp  c Value    claim Value        the claim has been removed  you can add it with a new value now if desired AuthenticationManager SignOut identity AuthenticationType   AuthenticationManager SignIn new AuthenticationProperties     IsPersistent   isPersistent    newIdentity

User · Answer

Here you go               var user   User as ClaimsPrincipal              var identity   user Identity as ClaimsIdentity              var claim    from c in user Claims                          where c Type    ClaimTypes UserData                          select c  Single                identity RemoveClaim claim     taken from here

User · Answer

if  HttpContext User Identity is ClaimsIdentity identity                        identity RemoveClaim identity FindFirst  userId                 identity AddClaim new Claim  userId   userInfo  id ToString                  await HttpContext SignInAsync                  CookieAuthenticationDefaults AuthenticationScheme                  new ClaimsPrincipal HttpContext User Identity

User · Answer

Using latest Asp Net Identity with  net core 2 1  I m being able to update user claims with the following logic    Register a UserClaimsPrincipalFactory so that every time SignInManager sings user in  the claims are created   services AddScoped lt IUserClaimsPrincipalFactory lt ApplicationUser gt   UserClaimService gt      Implement a custom UserClaimsPrincipalFactory lt TUser  TRole gt  like below  public class UserClaimService   UserClaimsPrincipalFactory lt ApplicationUser  ApplicationRole gt        private readonly ApplicationDbContext  dbContext       public UserClaimService ApplicationDbContext dbContext  UserManager lt ApplicationUser gt  userManager  RoleManager lt ApplicationRole gt  roleManager  IOptions lt IdentityOptions gt  optionsAccessor    base userManager  roleManager  optionsAccessor                 dbContext   dbContext             public override async Task lt ClaimsPrincipal gt  CreateAsync ApplicationUser user                var principal   await base CreateAsync user               Get user claims from DB using dbContext             Add claims           ClaimsIdentity principal Identity  AddClaim new Claim  claimType    some important claim value              return principal           Later in your application when you change something in the DB and would like to reflect this to your authenticated and signed in user  following lines achieves this   var user   await  userManager GetUserAsync User   await  signInManager RefreshSignInAsync user      This makes sure user can see up to date information without requiring login again  I put this just before returning the result in the controller so that when the operation finishes  everything securely refreshed   Instead of editing existing claims and creating race conditions for secure cookie etc  you just sign user in silently and refresh the state

User · Answer

when I use MVC5  and add the claim here   public async Task lt ClaimsIdentity gt  GenerateUserIdentityAsync PATAUserManager manager                   Note the authenticationType must match the one defined in CookieAuthenticationOptions AuthenticationType         var userIdentity   await manager CreateIdentityAsync this  DefaultAuthenticationTypes ApplicationCookie              Add custom user claims here         userIdentity AddClaim new Claim ClaimTypes Role  this Role             return userIdentity          when I m check the claim result in the SignInAsync function i can t get the role value use anyway  But     after this request finished  I can access Role in other action anther request     var userWithClaims    ClaimsPrincipal User          Claim CRole   userWithClaims Claims First c   gt  c Type    ClaimTypes Role     so  i think maybe asynchronous cause the IEnumerable updated behind the process

User · Answer

You can create a new ClaimsIdentity and then do the claims update with such   set          get context of the authentication manager     var authenticationManager   HttpContext GetOwinContext   Authentication          create a new identity from the old one     var identity   new ClaimsIdentity User Identity           update claim value     identity RemoveClaim identity FindFirst  AccountNo         identity AddClaim new Claim  AccountNo   value            tell the authentication manager to use this new identity     authenticationManager AuthenticationResponseGrant            new AuthenticationResponseGrant              new ClaimsPrincipal identity               new AuthenticationProperties   IsPersistent   true

User · Answer

I created a Extension method to Add Update Read Claims based on a given ClaimsIdentity namespace Foobar Common Extensions       public static class Extensions               public static void AddUpdateClaim this IPrincipal currentPrincipal  string key  string value                        var identity   currentPrincipal Identity as ClaimsIdentity              if  identity    null                  return                  check for existing claim and remove it             var existingClaim   identity FindFirst key               if  existingClaim    null                  identity RemoveClaim existingClaim                   add new claim             identity AddClaim new Claim key  value                var authenticationManager   HttpContext Current GetOwinContext   Authentication              authenticationManager AuthenticationResponseGrant   new AuthenticationResponseGrant new ClaimsPrincipal identity   new AuthenticationProperties     IsPersistent   true                        public static string GetClaimValue this IPrincipal currentPrincipal  string key                        var identity   currentPrincipal Identity as ClaimsIdentity              if  identity    null                  return null               var claim   identity Claims FirstOrDefault c   gt  c Type    key               return claim Value                     and then to use it using Foobar Common Extensions   namespace Foobar Web Main Controllers       public class HomeController   Controller               public ActionResult Index                            add updating claims             User AddUpdateClaim  quot key1 quot    quot value1 quot                User AddUpdateClaim  quot key2 quot    quot value2 quot                User AddUpdateClaim  quot key3 quot    quot value3 quot                       public ActionResult Details                            reading a claim             var key2   User GetClaimValue  quot key2 quot

User · Answer

You can update claims for the current user by implementing a CookieAuthenticationEvents class and overriding ValidatePrincipal  There you can remove the old claim  add the new one  and then replace the principal using CookieValidatePrincipalContext ReplacePrincipal  This does not affect any claims stored in the database  This is using ASP NET Core Identity 2 2   public class MyCookieAuthenticationEvents   CookieAuthenticationEvents       string newAccountNo    102        public override Task ValidatePrincipal CookieValidatePrincipalContext context                   first remove the old claim         var claim   context Principal FindFirst ClaimTypes UserData           if  claim    null                          ClaimsIdentity context Principal Identity  RemoveClaim claim                         add the new claim           ClaimsIdentity context Principal Identity  AddClaim new Claim ClaimTypes UserData  newAccountNo                replace the claims         context ReplacePrincipal context Principal           context ShouldRenew   true           return Task CompletedTask            You need to register the events class in Startup cs   public IServiceProvider ConfigureServices IServiceCollection services        services AddScoped lt MyCookieAuthenticationEvents gt          services ConfigureApplicationCookie o   gt                o EventsType   typeof MyCookieAuthenticationEvents               You can inject services into the events class to access the new AccountNo value but as per the warning on this page you should avoid doing anything too expensive      Warning      The approach described here is triggered on every request  Validating   authentication cookies for all users on every request can result in a   large performance penalty for the app

User · Answer

The extension method worked great for me with one exception that if the user logs out there old claim sets still existed so with a tiny modification as in passing usermanager through everything works great and you dont need to logout and login  I cant answer directly as my reputation has been dissed     public static class ClaimExtensions       public static void AddUpdateClaim this IPrincipal currentPrincipal     string key  string value  ApplicationUserManager userManager                var identity   currentPrincipal Identity as ClaimsIdentity          if  identity    null              return              check for existing claim and remove it         var existingClaim   identity FindFirst key           if  existingClaim    null                        RemoveClaim currentPrincipal  key  userManager                         add new claim         var claim   new Claim key  value           identity AddClaim claim           var authenticationManager   HttpContext Current GetOwinContext   Authentication          authenticationManager AuthenticationResponseGrant   new AuthenticationResponseGrant new ClaimsPrincipal identity   new AuthenticationProperties     IsPersistent   true               Persist to store         userManager AddClaim identity GetUserId   claim               public static void RemoveClaim this IPrincipal currentPrincipal  string key  ApplicationUserManager userManager                var identity   currentPrincipal Identity as ClaimsIdentity          if  identity    null              return               check for existing claim and remove it         var existingClaims   identity FindAll key           existingClaims ForEach c  gt  identity RemoveClaim c               remove old claims from store         var user   userManager FindById identity GetUserId             var claims    userManager GetClaims user Id           claims Where x   gt  x Type    key  ToList   ForEach c   gt  userManager RemoveClaim user Id  c                public static string GetClaimValue this IPrincipal currentPrincipal  string key                var identity   currentPrincipal Identity as ClaimsIdentity          if  identity    null              return null           var claim   identity Claims First c   gt  c Type    key           return claim Value             public static string GetAllClaims this IPrincipal currentPrincipal  ApplicationUserManager userManager                var identity   currentPrincipal Identity as ClaimsIdentity          if  identity    null              return null           var claims   userManager GetClaims identity GetUserId             var userClaims   new StringBuilder            claims ForEach c   gt  userClaims AppendLine    lt li gt  c Type    c Value  lt  li gt              return userClaims ToString

User · Answer

To remove claim details from database we can use below code  Also  we need to sign in again to update the cookie values      create a new identity              var identity   new ClaimsIdentity User Identity                   Remove the existing claim value of current user from database             if identity FindFirst  NameOfUser    null                  await UserManager RemoveClaimAsync applicationUser Id  identity FindFirst  NameOfUser                     Update customized claim              await UserManager AddClaimAsync applicationUser Id  new Claim  NameOfUser   applicationUser Name                    the claim has been updates  We need to change the cookie value for getting the updated claim             AuthenticationManager SignOut identity AuthenticationType               await SignInManager SignInAsync Userprofile  isPersistent  false  rememberBrowser  false                return RedirectToAction  Index    Home

[c#] How to update a claim in ASP.NET Identity?

Examples related to c#

Examples related to asp.net

Examples related to asp.net-mvc

Examples related to asp.net-mvc-4

Examples related to asp.net-web-api