2

I am trying to learn the new webapi2.1 authentication pieces.

I have got the bearer token wired up and working with my webapi. My next thing I would like to do is be able to store some additional information within the token (if possible) so when the client sends back the token I can retrieve the details without the need of them sending multiple values.

Can the token be extended to contain custom data?

Sorry if the question is a little vague but I have had a big hunt around and can't seem to find any further information

Thank you

Diver Dan
  • 9,953
  • 22
  • 95
  • 166

1 Answers1

4

Since the token is signed with a "secret" key - only the issuer can add data to it.

You can amend something to the claim set after receiving the token in your Web API - this is called claims transformation.

I have a sample of it here: https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/samples/OWIN/AuthenticationTansformation

In essence you are writing some code that inspects the incoming token and add application specific claims to the resulting principal.

    // Transform claims to application identity
    app.UseClaimsTransformation(TransformClaims);

    private Task<ClaimsPrincipal> TransformClaims(ClaimsPrincipal incoming)
    {
        if (!incoming.Identity.IsAuthenticated)
        {
            return Task.FromResult<ClaimsPrincipal>(incoming);
        }

        // Parse incoming claims - create new principal with app claims
        var claims = new List<Claim>
        {
            new Claim(ClaimTypes.Role, "foo"),
            new Claim(ClaimTypes.Role, "bar")
        };

        var nameId = incoming.FindFirst(ClaimTypes.NameIdentifier);
        if (nameId != null)
        {
            claims.Add(nameId);
        }

        var thumbprint = incoming.FindFirst(ClaimTypes.Thumbprint);
        if (thumbprint != null)
        {
            claims.Add(thumbprint);
        }

        var id = new ClaimsIdentity("Application");
        id.AddClaims(claims);

        return Task.FromResult<ClaimsPrincipal>(new ClaimsPrincipal(id));
    }
Fred
  • 12,086
  • 7
  • 60
  • 83
leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Thank you for your explanation. I have taken your example and added it to my project however it doesnt know about app.UseClaimsTransformation(TransformClaims); UseClaimsTransformation - What namespace is this in? – Diver Dan Feb 10 '14 at 18:31
  • Sorry I didnt have the thinktecture packages referenced – Diver Dan Feb 10 '14 at 18:45
  • Ahh Sorry one last question. Instead of having static data that is inserted for every claim is it possible to add custom claim values for each request? I have an application that contains businesses and I would like to store the persons businessId as a claim – Diver Dan Feb 10 '14 at 19:04
  • Yes absolutely - the idea is that you analyze the incoming identity and create a new identity that contains the app/business specific claims. – leastprivilege Feb 10 '14 at 20:40
  • i know this is almost a year old, but I have to do something similar - however not at app startup. When user logs in, they are taken to a page to select a "tenant" in a dropdown. I want that tenant ID to be saved in the bearer token as a claim...but at this point the token has been created. Is this possible? – Thiago Silva Jan 06 '15 at 21:18