11

I am migrating applications away from the ASP.Net MVC 5 framework to the new .Net Core 2.1.

I used Windows Authentication with a Custom RoleProvider in the MVC 5 Projects as shown in the link below.

ASP.NET MVC How to create a custom role provider

How do I accomplish the same in Core 2.1 as it does not seem to contain RoleProvider capability?

Every example I come across uses Individual Accounts with IdentityUser and IdentityRole.

My custom tables for User and Roles :

public class User
{
    public User() { UserRoles = new HashSet<UserRole>(); }

    [Key]
    public string Id { get; set; }

    [StringLength(50)]
    [Required]
    public string Logon { get; set; } //The users Active Directory Username

    public bool Active { get; set; }

    public ICollection<UserRole> UserRoles { get; set; }

}


public class Role
{
    public Role() { UserRoles = new HashSet<UserRole>(); }

    [Key]
    public string Id { get; set; }

    public string Name { get; set; }

    public ICollection<UserRole> UserRoles { get; set; }
}

Edit:

I've added a CustomClaimsPrincipal which goes like: 

public class CustomClaimsPrincipal : ClaimsPrincipal
{
    private readonly ApplicationDbContext _context;

    public CustomClaimsPrincipal(ApplicationDbContext context)
    {
        _context = context;
    }

    public override bool IsInRole(string role)
    {
        var currentUser = ClaimsPrincipal.Current.Identity.Name;

        IdentityUser user = _context.Users.FirstOrDefault(u => u.UserName.Equals(currentUser, StringComparison.CurrentCultureIgnoreCase));
            //(ApplicationUser)_context.Users.FirstOrDefault(u => u.UserName.Equals(currentUser, StringComparison.CurrentCultureIgnoreCase));

        var roles = from ur in _context.UserRoles.Where(p => p.UserId == user.Id)
                    from r in _context.Roles
                    where ur.RoleId == r.Id
                    select r.Name;
        if (user != null)
            return roles.Any(r => r.Equals(role, StringComparison.CurrentCultureIgnoreCase));
        else
            return false;
    }
}

and added to Startup.cs

services.AddIdentity<ApplicationUser, IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>();

services.AddScoped<ClaimsPrincipal, CustomClaimsPrincipal>();

But it still seems to be taking the original ClaimsPrincipal IsInRole function instead of the override which I believe is why I'm getting the error message "The trust relationship between the primary domain and the trusted domain failed."

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
user2806570
  • 821
  • 2
  • 12
  • 25
  • The duplicate you mention is for Individual Accounts which uses IdentityUser which is not used in Windows Authentication – user2806570 Aug 16 '18 at 10:25

2 Answers2

8

I had the same problem - the solutions given in the post weren't helpful but the comments pointed me in the right direction. You need to add claims to your ClaimsPrincipal.

Step 1: Create a ClaimsTransformer - Replace "Admin" and add a separate claim for each role you fetch from your database

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;

public class ClaimsTransformer : IClaimsTransformation
{ 
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var ci = (ClaimsIdentity) principal.Identity;
        var c = new Claim(ci.RoleClaimType, "Admin");
        ci.AddClaim(c);
        return Task.FromResult(principal);
    }
}

Step 2: Add your ClaimsTransformer to the ConfigureServices method of Startup.cs

services.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSpaStaticFiles(configuration =>
{
    configuration.RootPath = "ClientApp/dist";
});

services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();

Step 3: You can now add Role based Authorization attributes within your Controllers

[Authorize(Roles = "Admin")]
[HttpGet("[action]/{id}")]        
public User GetUser([FromRoute] int id)
{
    UserLogic ul = new UserLogic();
    return ul.GetUser(id);
}
Aceofspades25
  • 363
  • 4
  • 9
4

Managing custom permissions in net core is usually done via claims. You can do this via aspnet identity( How to add claims in ASP.NET Identity) or you can write your own middleware.

Once you have claims, you need to create Policies. This is done via the Startup.cs class in the ConfigureServices method.

services.AddAuthorization(options =>
        {
            options.AddPolicy("HR", policy => policy.RequireClaim("HRTeam"));
            options.AddPolicy("Helpdesk", policy => policy.RequireClaim("HelpdeskTeam"));
        });

And then decorate your controllers/actions with the Authorize attribure

[Authorize(Policy="Helpdesk")]
public class HelpDeskController : Controller
Will
  • 1,080
  • 12
  • 13
ste-fu
  • 6,879
  • 3
  • 27
  • 46
  • I've added claims but its still not working as expected. Can you please see above for the edit? – user2806570 Aug 16 '18 at 18:44
  • I don't think you need to override the ClaimsPrincipal, you need to add Claims to it when you authenticate – ste-fu Aug 17 '18 at 09:08
  • Claims and Roles with and without Policies are all valid schemes for managing Authorization. – Will Aug 30 '18 at 17:35
  • @ste-fu could you expand on this? I'm having the same problem and I'm not sure what you mean by "Adding claims when you authenticate"? Currently I enable Windows Authentication using this line: services.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme); – Aceofspades25 Nov 29 '18 at 21:22
  • can we add multiple policy like this [Authorize(Policy="Helpdesk,Supervisor")] ? – Willy May 03 '21 at 12:01
  • Lots of good info here about multiple policies https://stackoverflow.com/questions/35609632/asp-net-5-authorize-against-two-or-more-policies-or-combined-policy – ste-fu May 03 '21 at 16:34