How do I create a claim?

[IndigoHealth]

This documentation does a great job of explaining what a claim is and how to check for a claim. But how do I create a claim? And (for those of us coming from previous versions of ASP.NET) how do Role claims play with User.IsInRole? Apparently, Roles (as represented in the SQL database) are deprecated (see: https://github.com/aspnet/Identity/issues/1813).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 25051544-0e4d-1715-95b7-3a8616475127
• Version Independent ID: 50736569-fc04-ec6d-7b33-a3e0c860b1ed
• Content: Claims-based authorization in ASP.NET Core
• Content Source: aspnetcore/security/authorization/claims.md
• Product: aspnet-core
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

[Rick-Anderson]

@blowdart

[blowdart]

var claim = new Claim(...)

OK that's not useful, but really it's a concern of whatever identity system you're using, be it ASP.NET Identity, ADFS, AAD and so on. Role claims appear as, well, role claims, so you can check however you like. But it's not a suitable place to document this, it's authentication, not authorization

[IndigoHealth]

I understand that this page is focused on Authorization based on Claims. But that begs the obvious question of how to create claims in the first place. The section of this page that explains the concept of a claim would be a great place to put a link to a topic that talks about how to create them.

I spent two days trying to get legacy Roles to work. After I stumbled across the discussion that said, in effect, "give up on legacy Roles and use Claims", I went looking for the answer to how to do that. The only topic that I've found that describes claims creation is the "Additional Claims" topic, which talks about OAuth and includes a lot of ugly details that I assume I don't need to figure out for Role-based authorization. And I'm still left with a lot of reading between the lines and experimenting to try to figure out how to create simple Role claims.

[lukesdm]

Any chance of reopening this please? This page is the top result for 'aspnet core identity claims'. For now, this article provides some info on creating claims: https://damienbod.com/2018/10/30/implementing-user-management-with-asp-net-core-identity-and-custom-claims/ The key seems to be the UserClaimsPrincipleFactory classes

[damienbod]

@lukesdm https://github.com/damienbod/AspNetCoreAngularSignalRSecurity/blob/master/StsServerIdentity/Startup.cs#L93-L94

you need to implement the IUserClaimsPrincipalFactory and use an ApplicationUser class which implements the IdentityUser in the Identity context.

This took a while to find, I think this would be good in the Docs.

@Rick-Anderson @blowdart I could add something here if you're interested.

[Rick-Anderson]

@Rick-Anderson @blowdart I could add something here if you're interested.

@damienbod that would be great.

[damienbod]

@Rick-Anderson @blowdart @NTaylorMullen

Something like this: (New Page?)

Adding custom claims to ASP.NET Core Identity

• Extending the IdentityUser class with an ApplicationUser
• Scaffold and update the Identity Pages to use the ApplicationUser
• Update AddIdentity/ AddDefaultIdentityto use the ApplicationUser
• Implementing IUserClaimsPrincipalFactory<ApplicationUser

This covers a lot already:

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/add-user-data

So it's just really the last point which is missing from the docs

[IndigoHealth]

There are a couple of foundational concepts that I don't see in your list.

• The fundamental concept that claims are stored in the Identity database via calls to RollManager.AddClaimAsync() (and related calls), but decisions about claims and roles (which are actually just a particular type of claim) are based on information stored in a cookie that is constructed by the call to SignInManager.PasswordSignInAsync() (and related calls).
• None of this works if the call to AddDefaultIdentity isn't augmented by .AddRoles<IdentityRole>()
• Role Claims are confusing because of the confusing nomenclature. You need to document the concept that, in the Identity database, users have both Claims and Roles (a specialized type of claim), and Roles have Claims. So, by populating RoleClaims, and then assigning Role claims to users, the cookie magically acquires all of the Claims associated with the user's Roles. This allows developers to focus on claims rather than roles, which is a tough hurdle to mentally jump over for developers who are used to dealing strictly with the Roles assigned to users.

[alexanderbikk]

Here is a very good and simple example of how to add data in Asp.Net Identity claims https://korzh.com/blogs/net-tricks/aspnet-identity-store-user-data-in-claims

Thank for Jon P Smith, I found this link in his repository

[jwefers]

I want to validate the scope claim of an incoming JWT token, where its called "scp". ASP.Net core maps this to the ClaimType "http://schemas.microsoft.com/identity/claims/scope". Can anyone tell me where these strings are defined? System.Security.Claims.ClaimTypes only contains values for "http://schemas.xmlsoap.org/ws/2009/09/identity/claims/..." and its missing scopes. Clearly, there must be another, newer class for this newer schema.

[mchudinov]

How to create claims without using Entity Framework ? How to just add claims to ClaimsPrincipal object during the login process?

[enetstudio]

I'm using the IClaimsTransformation interface, which is deemed a better choice, in my Server Blazor App to add claims to the Claims Principal object.

public class ApplicationUserClaimsTransformation : IClaimsTransformation
{
    private readonly UserManager<ApplicationUser> _userManager;
    public  ApplicationUserClaimsTransformation(UserManager<ApplicationUser> 
                                                                                      userManager)
    {
        _userManager = userManager;
    }

    // Each time HttpContext.AuthenticateAsync() or 
    //   HttpContext.SignInAsync(...) are called, the claims  transformer is 
   // invoked. 
      public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var identity = principal.Identities.FirstOrDefault(c => 
                               c.IsAuthenticated);
        if (identity == null) return principal;

        var user = await _userManager.GetUserAsync(principal);
        if (user == null) return principal;

        if (!principal.HasClaim(c => c.Type == ClaimTypes.Country))
        {
            identity.AddClaim(new Claim(ClaimTypes.Country, user.Country));
        }

        if (!principal.HasClaim(c => c.Type == ClaimTypes.DateOfBirth))
        {
            identity.AddClaim(new Claim(ClaimTypes.DateOfBirth, 
                                    user.Birthdate.ToString()));
        }
        return new ClaimsPrincipal(identity);
    }
 }

You need also this in Startup.ConfigureServices method:

  services.AddScoped<IClaimsTransformation, 
                                   ApplicationUserClaimsTransformation>();

[reasonet]

The following link explains how to add claims. I think it should be added to this page: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

The relevant code (for me) at the link is: await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);

If you added that text to this page, you would answer this question.