[Breaking change]: Access claims will be removed from `ClaimsIdentity` in V15

[kjac]

Description

The following claims will be removed from ClaimsIdentity in V15:

• http://umbraco.org/2015/02/identity/claims/backoffice/startcontentnode
• http://umbraco.org/2015/02/identity/claims/backoffice/startmedianode
• http://umbraco.org/2015/02/identity/claims/backoffice/allowedapp

These claims correspond to these (now obsolete) security constants:

• Umbraco.Cms.Core.Constants.Security.StartContentNodeIdClaimType
• Umbraco.Cms.Core.Constants.Security.StartMediaNodeIdClaimType
• Umbraco.Cms.Core.Constants.Security.AllowedApplicationsClaimType

Version

Umbraco 15

Previous behavior

The mentioned claims would be readily available for interpretation on ClaimsIdentity.

New behavior

The mentioned claims are no longer available on ClaimsIdentity.

Type of breaking change

• [X] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
• [ ] Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

First and foremost, this change allows for smoother access changes for users of the Management API. At this time we're forced to revoke tokens when access changes, which is not an ideal behaviour for currently logged-in users.

Secondly, this change paves the way for facilitating external authorization for specific operations that are currently tied to the ClaimsIdentity claims.

Recommended action

To access the allowed sections of a user, go directly to IUser:

private readonly IUserService _userService;

private async Task<IEnumerable<string>?> GetAllowedSections(Guid userKey)
{
  IUser? user = await _userService.GetAsync(userKey);
  return user?.AllowedSections;
}

To access the calculated user start nodes, use the UserExtensions:

private readonly IEntityService _entityService;
private readonly AppCaches _appCaches;

private IEnumerable<int>? UserContentStartNodeIds(IUser user)
  => user.CalculateContentStartNodeIds(_entityService, _appCaches);

private IEnumerable<int>? UserMediaStartNodeIds(IUser user)
  => user.CalculateContentStartNodeIds(_entityService, _appCaches);

Affected APIs

• Umbraco.Extensions.ClaimsIdentityExtensions.GetStartContentNodes(this ClaimsIdentity identity)
• Umbraco.Extensions.ClaimsIdentityExtensions.GetStartMediaNodes(this ClaimsIdentity identity)
• Umbraco.Extensions.ClaimsIdentityExtensions.GetAllowedApplications(this ClaimsIdentity identity)