Add Claims to a user during login while using Identity

[akhanalcs]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I am honestly shocked that I have searched everywhere and tried everything but still not able to accomplish this basic behavior.
Am I missing something or is Identity missing a basic behavior?

Let me explain it:

My application is a Blazor Server project where I have added Identity following the steps mentioned here.

Now this is what I want to achieve:

1. User enters their credentials.
2. If the username is valid (in our Active Directory), I retrieve a field known as EmployeeId from the Active Directory.
3. Authenticate the user using SignInManager.PasswordSignInAsync.
4. Add EmployeeId that I retrieved in Step 2 as a claim to the ClaimsPrincipal. (So that I can use EmployeeId from Razor Components like this).

My OnPostAsync method in Login.cshtml.cs looks like this:

public class LoginModel : PageModel
{
	private readonly SignInManager<MMTUser> _signInManager;
	private readonly ILogger<LoginModel> _logger;

	public LoginModel(SignInManager<MMTUser> signInManager, ILogger<LoginModel> logger)
	{
		_signInManager = signInManager;
		_logger = logger;
	}

	// Other Properties, methods etc. here.

	public async Task<IActionResult> OnPostAsync(string returnUrl = null)
	{
		returnUrl ??= Url.Content("~/");

		if (ModelState.IsValid)
		{
			// Step 1: Check if this user exists in our AD
			// If YES: Grab the Employee Id and go to next step
			// If NO: Terminate the process
			var adLookupResult = ADHelper.ADLookup(Input.Username);
			if (adLookupResult == null || string.IsNullOrEmpty(adLookupResult.EmployeeId))
			{
				ModelState.AddModelError(string.Empty, "Invalid login attempt.");
				return Page();
			}

			// Step 2: SignIn the user
			var result = await _signInManager.PasswordSignInAsync(Input.Username, Input.Password, isPersistent: Input.RememberMe, lockoutOnFailure: false);

            // Step 3: How do I add adLookupResult.EmployeeId to the ClaimsPrincipal?

			if (result.Succeeded)
			{
				_logger.LogInformation("User logged in.");
				return LocalRedirect(returnUrl);
			}
			else
			{
				ModelState.AddModelError(string.Empty, "Invalid login attempt.");
				return Page();
			}
		}

		// If we got this far, something failed, redisplay form
		return Page();
	}
}

I tried to use ClaimsTransformer as documented here but since I cannot pass my adLookupResult.EmployeeId to TransformAsync method, I can't really use that approach.

I tried adding it using:
HttpContext.User.AddIdentity(new ClaimsIdentity(new List<Claim> { new Claim("NewClaim", "EmployeeIdFromStep2") }));
right after successful sign in, but that doesn't work.

Describe the solution you'd like

Either provide a way to pass claims value to the public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal) method or provide a method to add claims during Login while using Identity.

Additional context

Full source code:
https://github.com/affableashish/blazor-server-auth/tree/feature/AddClaimsDuringLogin

Added Claims during Login (in Login.cshtml.cs file) and accessed those claims from Razor Component.

Unfortunately, it didn't work. I only get null as the claim value. 😔

Stackoverflow question:
https://stackoverflow.com/q/75377386/8644294

[quicksln]

I hope I have correctly understood your use case. I’m assuming this is NOT Blazor Server application under Windows Authentication. You are simply checking if the typed username exists in your Active Directory (AD).
If it exists, you are returning the EmployeeId, and trying to log in the user using the Identity mechanism.
You would also like to add the EmployeeId as a Claim.

IMPORTANT: User should already exists in Identity database!

Please try below snippet and let me know if it worked:

          var userCandidate = await signInManager.UserManager.FindByNameAsync(Input.Username);
          var isValid = await signInManager.UserManager.CheckPasswordAsync(userCandidate, Input.Password);
          if (isValid)
          {
              var customClaims = new[] { new Claim("EmployeeId", adLookupResult.EmployeeId) };

              await signInManager.SignInWithClaimsAsync(userCandidate, true, customClaims);
          }

[akhanalcs]

@quicksln Thank you so much for your answer. It works!

Follow up questions:
Q1. Since SignInWithClaimsAsync doesn't return SignInResult, how do I check for scenarios like RequiresTwoFactor, IsLockedOut etc.?

Q2. Also how do I lockout the user when they enter too many wrong passwords?
With PasswordSignInAsync, I could specify that by simply passing lockoutOnFailure: false.

[quicksln]

Happy to hear it worked :)

If you need SignInResult , please use SignInManager method CheckPasswordSignInAsync.

var result = await signInManager.CheckPasswordSignInAsync(userCandidate, Input.Password, lockoutOnFailure: true);

    /// <summary>
    /// Attempts a password sign in for a user.
    /// </summary>
    /// <param name="user">The user to sign in.</param>
    /// <param name="password">The password to attempt to sign in with.</param>
    /// <param name="lockoutOnFailure">Flag indicating if the user account should be locked if the sign in fails.</param>
    /// <returns>The task object representing the asynchronous operation containing the <see name="SignInResult"/>
    /// for the sign-in attempt.</returns>
    /// <returns></returns>
    public virtual async Task<SignInResult> CheckPasswordSignInAsync(TUser user, string password, bool lockoutOnFailure)

[akhanalcs]

@quicksln
Thank you so much. It works beautifully!

You indeed are the one with the force! 😃