search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

Refresh UserClaims in Identity Server 4 #5420

Closed ahmedtahami closed 2 years ago

ahmedtahami commented 2 years ago

Problem:

I want to refresh user claims in identity server 4. I have made an API endpoint in identity server project. This API endpoint is given below. After that I call the UserInfoEndpoint and RefreshTokenEndpoint from my Angular Client using oidc-client.js library. I get the refreshtoken and new accesstoken but the claims in the response are old. I have to relogin in my client and identity server to reload the updated claims.

API Code

   if (ModelState.IsValid && model.IsSelected && User.Identity.IsAuthenticated)
                {
                    var user = _userRepository.GetUserByAppId(model.UserId);
                    user.AccessCode = model.Code; // A simple 3 digit code
                    var updatedUser = _userRepository.UpdateUser(user); //updating it in the dB
                    var claimsResult = _userRepository.GetUserClaims(updatedUser);
                    if (!claimsResult.IsSuccess)
                    {
                        return BadRequest(new { Status = false, Message = "Failed To Change" });
                    }
                    var identity = User.Identity as ClaimsIdentity;
                    string[] claimsTobeUpdated = { "AccessCode" };
                    foreach (var item in identity.Claims.ToList())
                    {
                        if (claimsTobeUpdated.Contains(item.Type))
                        {
                            identity.RemoveClaim(item);
                            var claim = claimsResult.Claims.Where(p => p.Type == item.Type).FirstOrDefault();
                            identity.AddClaim(claim);
                        }
                    } // I was updating more than one claims thats why I'm iterating
                    AuthenticationProperties props = new AuthenticationProperties()
                    {
                        IsPersistent = true,
                        ExpiresUtc = DateTimeOffset.UtcNow.Add(AccountOptions.RememberMeLoginDuration),
                    };

                    // issue authentication cookie with subject ID and username
                    var isuser = new IdentityServerUser(user.Id.ToString())
                    {
                        DisplayName = user.Name,
                        AdditionalClaims = claimsResult.Claims.ToList(),
                    };
                    await HttpContext.SignInAsync(isuser, props);

                    var claims = User.Identity as ClaimsIdentity; // here I've checked that the claims updated or not and these are updated.

                    return Ok(new { Status = true, Message = "Changed Successfully" });
                }

Desired Output:

I want to have same claims in my identity server session as well as the Ng session. if you can help me it would be highly appreciated.

ahmedtahami commented 2 years ago

@brockallen Could you please help me?

gterdem commented 2 years ago

This is not directly related with identityserver. Maybe you want to check this blog post about claim-based authentication.

Basically, UserClaimsFactory creates a claims principal using user manager. And this happens during the sign in process. You can only add custom claims during the sign in process with using claims factory.

Changing the logged in user after a user is signed in, is the concept of impersonation.

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.