How to get Role Claims?

Question

I've created a user and attached to him a role that has a number of claims. The problem is I don't see a direct way to access retrieve them using Entity Framework Core and Identity integration. Here's what I'd like to do ideally:

return _context.Users
  .Include(u => u.Roles)
  .ThenInclude(r => r.Role)
  .ThenInclude(r => r.Claims)

But there's not Role property, just RoleId. So I can not Include role claims. Of course I get make a separate query to get claims or even use RoleManager:

var user = _context.Users.Single(x => x.Id == ...);
var role = _roleManager.Roles.Single(x => x.Id ==  user.Roles.ElementAt(0).RoleId);
var claims = _roleManager.GetClaimsAsync(role).Result;

but it looks inefficient and even ugly. There should be a way to make a single query.

My last hope was Controller.User property (ClaimsIdentity). I hoped it somehow smartly aggregates claims from all the roles. But seems like it doesn't...

Answer 1

You can use SQL-like query expressions and get all claims from all roles of a user like this:

var claims = from ur in _context.UserRoles
             where ur.UserId == "user_id"
             join r in _context.Roles on ur.RoleId equals r.Id
             join rc in _context.RoleClaims on r.Id equals rc.RoleId
             select rc;

Answer 2

You can add navigation properties.

 public class Role : IdentityRole
 {
    public virtual ICollection<RoleClaim> RoleClaims { get; set; }       
 }

  public class RoleClaim : IdentityRoleClaim<string>
  {
     public virtual Role Role { get; set; }
  }

Then you have to configure your identity db context:

 public class MyIdentityDbContext : IdentityDbContext<User, Role, string, IdentityUserClaim<string>, IdentityUserRole<string>, IdentityUserLogin<string>, RoleClaim, IdentityUserToken<string>>

Usage:

await _context.Roles.Include(r => r.RoleClaims).ToListAsync();

At the end it generates the following query:

SELECT `r`.`Id`, `r`.`ConcurrencyStamp`, `r`.`Name`, `r`.`NormalizedName`, `r0`.`Id`, `r0`.`ClaimType`, `r0`.`ClaimValue`, `r0`.`RoleId`
  FROM `roles` AS `r`
  LEFT JOIN `role_claims` AS `r0` ON `r`.`Id` = `r0`.`RoleId`
  ORDER BY `r`.`Id`, `r0`.`Id`

Source: Identity model customization in ASP.NET Core

Answer 3

1. Make sure you are adding the roles and claims correctly. Below is an example of how I create a user and add claims and roles.

   private async Task<IdentityResult> CreateNewUser(ApplicationUser user, string password = null){
   
       //_roleManger is of type RoleManager<IdentityRole>
       // _userManger is of type UserManager<ApplicationUser>
       //and both are injected in to the controller. 
   
       if (!await _roleManger.RoleExistsAsync("SomeRole")){
           await _roleManger.CreateAsync(new IdentityRole("SomeRole"));
       }
   
       var result = password != null ? await _userManager.CreateAsync(user, password) : await _userManager.CreateAsync(user);
   
       if(result.Succeeded) {
   
           await _userManager.AddToRoleAsync(user, "SomeRole");
           await _userManager.AddClaimAsync(user, new Claim(ClaimTypes.Name, user.Email));
   
       }
   
       return result;
   }
   

2. Then you can use the _userManager to get the claims. This is how I get the current user using _userManager. Then you can just call something like this:

   var claims = await _userManager.GetClaimsAsync(user);