Session Management

Mendenzon Tatis Rosario 20

I am currently in the middle of setting up my user session management using ASP.NetCore Web API. I am able to register users and log in successfully. After checking my Dev Tools on Chrome I can see that a JWT token is created and added to the cookie with the proper parameters. However, I'm not understanding where my disconnect is happening because the cookie is not authenticating the user to remain in the session. As soon as I move to another page of my app my getCurrent triggers but does not return the user that just logged in and the claims return null with no identity available. Screenshot 2024-04-03 at 2.50.49 PM

Screenshot 2024-04-03 at 2.51.16 PM

Screenshot 2024-04-03 at 2.51.48 PM

Screenshot 2024-04-03 at 2.53.21 PM

Screenshot 2024-04-03 at 2.53.43 PM Screenshot 2024-04-03 at 2.55.02 PM

Ping Ni-MSFT 2,250 Reputation points Microsoft Vendor

2024-04-04T01:56:27.3533333+00:00

Hi @Mendenzon Tatis Rosario, Pls share the code instead of the screenshot which could be better to resolve your issue.

Mendenzon Tatis Rosario 20

@Ping Ni-MSFT Here is the core for the token formatting and the web auth

public class TokenSecureDataFormat : ISecureDataFormat<AuthenticationTicket> {     private string _secret = "";
    private int _expirationDays;
    private JsonWebTokenConfig _tokenConfig;

    private static readonly string[] _specialTypes = new[]
    {
        ClaimTypes.Role,
        ClaimTypes.Email,
        ClaimTypes.NameIdentifier, 
"http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider"
    };
      
public TokenSecureDataFormat(JsonWebTokenConfig tokenConfig)
    {
        _secret = tokenConfig.Secret;
        _tokenConfig = tokenConfig;
        _expirationDays = tokenConfig.ExpirationDays;
    }

    public string Protect(AuthenticationTicket ticket)
    {
        var tokenHandler = new JwtSecurityTokenHandler();
        var key = Encoding.ASCII.GetBytes(_secret);
        var tokenDescriptor = new SecurityTokenDescriptor
        {
            Audience = _tokenConfig.Audience,

            Expires = DateTime.UtcNow.AddDays(_expirationDays),
            SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        };

        tokenDescriptor.Issuer = _tokenConfig.Issuer;
        tokenDescriptor.Subject = new ClaimsIdentity(ticket.Principal.Claims);

        var token = tokenHandler.CreateToken(tokenDescriptor);
        return tokenHandler.WriteToken(token);
    }

    public string Protect(AuthenticationTicket ticket, string purpose)
    {
        return Protect(ticket);
    }

    public AuthenticationTicket Unprotect(string protectedText)
    {
        JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();

        TokenValidationParameters tokenParam = new TokenValidationParameters();

        tokenParam.ValidIssuer = _tokenConfig.Issuer;
        tokenParam.ValidAudience = _tokenConfig.Audience;
        tokenParam.ClockSkew = TimeSpan.FromMinutes(0);
        tokenParam.IssuerSigningKey = GetSymmetricSecurityKey(_secret);

        SecurityToken token = null;
        AuthenticationTicket authTicket = null;
        JwtSecurityToken unvalidatedToken = null;

        try
        {
            unvalidatedToken = tokenHandler.ReadJwtToken(protectedText);
            ClaimsPrincipal claimP = tokenHandler.ValidateToken(protectedText, tokenParam, out token);

            authTicket = new AuthenticationTicket(claimP, AuthenticationDefaults.AuthenticationScheme);
        }
        catch (Exception ex)
        {
            //Replace with proper logging later

            Console.WriteLine(ex.ToString());

            throw;
        }

        return authTicket;
    }

    public AuthenticationTicket Unprotect(string protectedText, string purpose)
    {
        return Unprotect(protectedText);
    }

    private SigningCredentials GetSigningCredentials(string tokenSecret)
    {
        SymmetricSecurityKey symmetricKey = GetSymmetricSecurityKey(tokenSecret);
        var signingCredentials = new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256);

        return signingCredentials;
    }

    private SymmetricSecurityKey GetSymmetricSecurityKey(string jwtSecret)
    {
        return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecret));
    }
}

public class WebAuthenticationService : IAuthenticationService<int>
{
    private static string _title;
    private IHttpContextAccessor _contextAccessor;

    static WebAuthenticationService()
    {
        _title = GetApplicationName();
    }

    public WebAuthenticationService(IHttpContextAccessor httpContext)
    {
        this._contextAccessor = httpContext;
    }

    public async Task LogInAsync(IUserAuthData user, params Claim[] extraClaims)
    {
        ClaimsIdentity identity = new ClaimsIdentity(
            CookieAuthenticationDefaults.AuthenticationScheme,
            ClaimsIdentity.DefaultNameClaimType,
            ClaimsIdentity.DefaultRoleClaimType);

        identity.AddClaim(new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",
            _title,
            ClaimValueTypes.String));

        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id.ToString(), ClaimValueTypes.String));

        identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, user.Name, ClaimValueTypes.String));

        if (user.Roles != null && user.Roles.Any())
        {
            foreach (string singleRole in user.Roles)
            {
                identity.AddClaim(new Claim(ClaimsIdentity.DefaultRoleClaimType, singleRole, ClaimValueTypes.String));
            }
        }

        identity.AddTenantId(user.TenantId);

        identity.AddClaims(extraClaims);

        AuthenticationProperties props = new AuthenticationProperties
        {
            IsPersistent = true,
            IssuedUtc = DateTime.UtcNow,
            ExpiresUtc = DateTime.UtcNow.AddDays(60),
            AllowRefresh = true,
        };

        ClaimsPrincipal principal = new ClaimsPrincipal(identity);

        await _contextAccessor.HttpContext
            .SignInAsync(AuthenticationDefaults.AuthenticationScheme, principal, props);
    }

    public async Task LogOutAsync()
    {
        await _contextAccessor.HttpContext.SignOutAsync(AuthenticationDefaults.AuthenticationScheme);
    }

    public bool IsLoggedIn()
    {
        return _contextAccessor.HttpContext.User.Identity.IsAuthenticated;
    }

    ///<summary>
    ///Only use this method if the user is logged in
    /// </summary>
    /// <returns></returns>

    public int GetCurrentUserId()
    {
        return GetId(_contextAccessor.HttpContext.User.Identity).Value;
    }

    public IUserAuthData GetCurrentUser()
    {
        BaseUser baseUser = null;

        if (IsLoggedIn())
        {
            ClaimsIdentity claimsIdentity = _contextAccessor.HttpContext.User.Identity as ClaimsIdentity;

            if (claimsIdentity != null)
            {
                baseUser = ExtractUser(claimsIdentity);
            }
        }

        return baseUser;
    }

    private static BaseUser ExtractUser(ClaimsIdentity claimsIdentity)
    {
        BaseUser baseUser = new BaseUser();
        List<string> roles = null;

        foreach (var claim in claimsIdentity.Claims)
        {
            switch (claim.Type)
            {
                case ClaimTypes.NameIdentifier:
                    int id = 0;
                    if (Int32.TryParse(claim.Value, out id))
                    {
                        baseUser.Id = id;
                    }
                    break;

                case ClaimTypes.Name:
                    baseUser.Name = claim.Value;
                    break;

                case ClaimTypes.Role:
                    if (roles == null)
                    {
                        roles = new List<string>();
                    }

                    roles.Add(claim.Value);
                    break;

                default:
                    if (claimsIdentity.IsTenantIdClaim(claim.Type))
                    {
                        baseUser.TenantId = claim.Value;
                    }
                    break;
            }
        }

        baseUser.Roles = roles;

        return baseUser;
    }

    private static int? GetId(IIdentity identity)
    {
        if (identity == null) { throw new ArgumentNullException("identity"); }
        if (!identity.IsAuthenticated) { throw new InvalidOperationException("The current IIdentity is not Authenticated"); }
        ClaimsIdentity claimsIdentity = identity as ClaimsIdentity;

        int idParsed = 0;

        if (claimsIdentity != null)
        {
            Claim claim = claimsIdentity.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);

            if (claim != null && Int32.TryParse(claim.Value, out idParsed))
            {
                return idParsed;
            }
        }

        return null;
    }

    private static string GetApplicationName()
    {
        var entryAssembly = Assembly.GetExecutingAssembly();

        var titleAttribute = entryAssembly.GetCustomAttributes(typeof(AssemblyTitleAttribute), false).FirstOrDefault() as AssemblyTitleAttribute;

        return titleAttribute == null ? entryAssembly.GetName().Name : titleAttribute.Title;
    }
}

Ping Ni-MSFT 2,250 Reputation points Microsoft Vendor

2024-04-05T08:53:06.6433333+00:00

Hi @Mendenzon Tatis Rosario, How do you trigger the WebAuthenticationService?

As soon as I move to another page of my app my getCurrent triggers but does not return the user that just logged in and the claims return null with no identity available.

Can you point out what is the getCurrent method here? Also it is better for you to share your Program.cs.

1 answer

Bruce (SqlWork.com) 56,531 Reputation points

2024-04-05T17:38:18.22+00:00

it looks like your signing in with a jwt token. these are not written to a cookie, but should be sent as a bearer token on each request. browsers only support bearer tokens via javascript requests that pass the token.

note: the identity cookie value is encrypted, and can not be decoded in the browser tools. also identity does not use session
Please sign in to rate this answer.

0 comments No comments
Sign in to comment