ASP.NET Core Identity by default uses cookies to store
claims. If your authorization is very granular then you will end up using many
claims. With all these claims stored in cookie, the cookie size gets bigger and
you can exceed the cookie limit.
We can achieve the authorization granularity without
exceeding the cookie limit and impacting the way ASP.NET Identity authorizes
users by storing the claims in session, Redis or any other memory storage.
Below are the steps I implemented to store the claims in
session.
First let’s store the claims in session (assuming that the
ASP.NET Core Session is already configured). During authentication, Identity
system uses SignInManager for creating principal object of the logged in user.
While creating the principal object, Identity populates the claims. We can
override this SignInManager and store the claims as shown below:
public class ApplicationSignInManager : SignInManager<ApplicationUser>
{
private IHttpContextAccessor contextAccessor;
public
ApplicationSignInManager(UserManager<ApplicationUser> userManager, IHttpContextAccessor contextAccessor, IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory, IOptions<IdentityOptions> optionsAccessor, ILogger<SignInManager<ApplicationUser>> logger)
: base(userManager,
contextAccessor, claimsFactory, optionsAccessor, logger)
{
this.contextAccessor =
contextAccessor;
}
public override async Task<ClaimsPrincipal>
CreateUserPrincipalAsync(ApplicationUser user)
{
var principal = await base.CreateUserPrincipalAsync(user);
ClaimsIdentity identity = (ClaimsIdentity)principal.Identity;
//
storing claims in session and removing them. These claims will be added by
Transformer
List<ClaimModel> sessionClaims = new List<ClaimModel>();
List<Claim> identityClaims =
identity.Claims.ToList();
foreach (var claim in identityClaims)
{
sessionClaims.Add(new ClaimModel() { ClaimType =
claim.Type, ClaimValue = claim.Value });
identity.RemoveClaim(claim);
}
this.contextAccessor.HttpContext.Session.SetString("IdentityClaims", JsonConvert.SerializeObject(sessionClaims));
return principal;
}
}
The Identity system should be configured to use our ApplicationSignInManager
instead of the default one. For this we need to define the dependency injection
in the Startup under ConfigureServices
services.AddScoped<SignInManager<ApplicationUser>, ApplicationSignInManager>();
As you see with above code claims are removed from the
principal identity and stored in the session. These claims should to be added
back to the principal identity for every request. This done through the claims transformer
as shown below:
public class ClaimsTransformer : IClaimsTransformer
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsTransformationContext context)
{
ClaimsPrincipal principal =
context.Principal;
ClaimsIdentity identity = (ClaimsIdentity)principal.Identity;
string claimString = NTContext.HttpContext.Session.GetString("IdentityClaims");
if (claimString != null)
{
List<ClaimModel> sessionClaims = JsonConvert.DeserializeObject<List<ClaimModel>>(claimString);
identity.AddClaims(sessionClaims.Select(sc => new Claim(sc.ClaimType,
sc.ClaimValue)));
}
return Task.FromResult(principal);
}
}
This ClaimsTransformer class is
configured in the Startup under Configure section as shown below:
app.UseClaimsTransformation(new ClaimsTransformationOptions()
{
Transformer = new ClaimsTransformer(),
});
app.UseIdentity();
With the above setup now the claims are stored in session when
the user logs in. At every request from the user these claims will be copied
from session to the identity object. Now we have overridden the default
approach of using cookies with session J
Oh, they are really hard to distinguish from each other! Thanks for the help
ReplyDeleteGreat Article Artificial Intelligence Projects
DeleteProject Center in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai Project Centers in Chennai
The saving all applications is optimal in each case. However, this also has a limit. The users will be able to leave their requests for review.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteYou are really performing grand work. I must articulate that you really have done a great research before writing. Keep up the good work!
ReplyDeleteData Science training in Mumbai
Data Science course in Mumbai
SAP training in Mumbai
Fascinating post. I Have Been considering about this issue, so thankful for posting. Totally cool post.It 's very generally very Useful post.Thanks
ReplyDeletedata science course
Thanks for sharing an information to us.
ReplyDeleteData Science Online Training
Python Online Training
Attend The Machine Learning Course Bangalore From ExcelR. Practical Machine Learning course Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Machine Learning course Bangalore.
ReplyDeleteMachine Learning Course Bangalore
Thank you for sharing.
ReplyDeleteSalesforce Online Training
This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me..
ReplyDeletebusiness analytics course in aurangabad
Thanks for the information about Blogspot very informative for everyone
ReplyDeletebusiness analytics training in aurangabad
Honestly speaking this blog is absolutely amazing in learning the subject that is building up the knowledge of every individual and enlarging to develop the skills which can be applied in to practical one. Finally, thanking the blogger to launch more further too.
ReplyDeleteData Analytics online course
This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me..
ReplyDeleteartificial intelligence course
Stupendous blog huge applause to the blogger and hoping you to come up with such an extraordinary content in future. Surely, this post will inspire many aspirants who are very keen in gaining the knowledge. Expecting many more contents with lot more curiosity further.
ReplyDeleteData Science Certification in Bhilai
Extraordinary blog went amazed with the content that they have developed in a very descriptive manner. This type of content surely ensures the participants to explore themselves. Hope you deliver the same near the future as well. Gratitude to the blogger for the efforts.
ReplyDeleteData Science Training
What a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up.
ReplyDeletedata scientist course in malaysia