0

I am trying to assign roles as claims for Windows Authentication for Asp.net Core Webapi project. Below is my transform by adding a role claim current identity.

public class ClaimsTransformer : IClaimsTransformer
    {
        public Task<ClaimsPrincipal> TransformAsync(ClaimsTransformationContext context)
        {
            //add new claim
            var ci = (ClaimsIdentity) context.Principal.Identity;
            var c = new Claim(ClaimTypes.Role, "admin");
            ci.AddClaim(c);

            return Task.FromResult(context.Principal);
        }
    }

And this middleware is added to Startup.Configure:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
      {
          loggerFactory.AddConsole(LogLevel.Debug);
          loggerFactory.AddDebug();

          app.UseClaimsTransformation(o => new ClaimsTransformer().TransformAsync(o));

          app.UseStaticFiles();

          app.UseMvc();
      }

However role admin is not authorized in this method (403-Forbidden).

[Route("api/[controller]")]
    public class ValuesController : Controller
    {        
        // GET api/values/5
        [HttpGet("{id}")]
        [Authorize(Roles = "admin")]
        public string Get(int id)
        {
            return "value";
        }
    }

It is working properly if [Authorize] is used. Any missing?

adem caglin
  • 22,700
  • 10
  • 58
  • 78
beewest
  • 4,486
  • 7
  • 36
  • 63
  • 1
    Take a look at http://stackoverflow.com/a/39032988/5426333 – adem caglin Aug 28 '16 at 15:52
  • 2
    When adding a new claim to the ClaimsIdentity, if you want it to work with IPrincipal.IsInRole (and AuthorizeAttribute(Roles=), then you need to add it with a claim type of ClaimTypes.GroupSid rather than ClaimTypes.Role. Strange but true. – Rob Sep 25 '16 at 10:51
  • and i think if you try to add it as a `ClaimTypes.GroupSid` as "admin" you get a `System.ComponentModel.Win32Exception: The trust relationship between the primary domain and the trusted domain failed` – jmzagorski Nov 07 '16 at 13:44
  • Rob, your comment saved my day! I already implemented it as you said, but your comment is confirmation what I have suspected. Thanks – Kenan Begić Apr 27 '23 at 14:11

1 Answers1

4

Unfortunately User.IsInRole method doesn't work with ClaimsTransformer(if you add role with ClaimsTransformer, IsInRole will be false) so you can't use [Authorize(Roles = "")] with ClaimsTransformer. In this case you can use Claims Based Authorization to handle authotorization.

So add below code to ConfigureServices and use Authorize attribute:

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services.
    services.AddAuthorization(options =>
    {
        options.AddPolicy("admin", policy => policy.RequireClaim(ClaimTypes.Role, "admin"));
    });
    //...
}


[Route("api/[controller]")]
public class ValuesController : Controller
{        
    // GET api/values/5
    [HttpGet("{id}")]
    [Authorize(Policy = "admin")]
    public string Get(int id)
    {
        return "value";
    }
}
adem caglin
  • 22,700
  • 10
  • 58
  • 78