All geek questions in one place

Idenity Server 4 Making Additional Claims in IAuthorizeInteractionResponseGenerator

I am trying to port the code from IdentityServer3 that PreAuthenticate used to provide a temporary impersonation of the user to the client application for our administrators.

After the thread in here , I override ProcessInteractionAsync in a custom IAuthorizeInteractionResponseGenerator. This works fine, and everything works for me, BUT, I cannot add unnecessary requirements for sending back to the client application so that it knows that this is an impersonated id_token. When replacing the object with ValidatedAuthorizeRequest in my redefinition, I add an additional requirement that indicates the user who started the impersonation, but this requirement is not met through the id_token or access token. Here is my redefinition:

public override async Task<InteractionResponse> ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
{
    string impersonatedUserName = request.GetPrefixedAcrValue("Impersonate:");
    if (!string.IsNullOrWhiteSpace(impersonatedUserName))
    {
        if (request.Client.AllowedScopes.Contains(Constants.ClaimTypes.Impersonation))
        {
            var currentUser;
            var impersonatedUser;

            //Omited code to verify eligibility to impersonate user

            if (impersonatedUser != null)
            {
                IEnumerable<string> requestedClaimTypes = request.Client.AllowedScopes;

                IdentityServerUser idSrvUser = new IdentityServerUser(impersonatedUser.Id.ToString())
                {
                    AuthenticationTime = Clock.UtcNow.UtcDateTime,
                    DisplayName = impersonatedUser.UserName,
                    IdentityProvider = !string.IsNullOrEmpty(impersonatedUser.PasswordHash) ? IdentityServerConstants.LocalIdentityProvider : "external"
                };

                ProfileDataRequestContext context = new ProfileDataRequestContext(
                    idSrvUser.CreatePrincipal(),
                    request.Client,
                    nameof(AuthorizeInteractionResponseGenerator),
                    requestedClaimTypes);

                await Profile.GetProfileDataAsync(context);

                //Need this claim to flow through to client
                context.IssuedClaims.Add(new Claim(Constants.ClaimTypes.Impersonation, currentUser.UserName));

                foreach (Claim claim in context.IssuedClaims)
                {
                    idSrvUser.AdditionalClaims.Add(claim);
                }

                ClaimsPrincipal newSubject = idSrvUser.CreatePrincipal();

                request.Subject = newSubject;

                Logger.LogInformation("Impersonation set, returning response");

                return new InteractionResponse();
            }
            else
            {
                Logger.LogWarning("Invalid attempt to impersonate user");
                return new InteractionResponse { Error = "Invalid attempt to impersonate user" };
            }
        }
        else
        {
            Logger.LogWarning("Client does not support impersonation!");
            return new InteractionResponse { Error = "Client does not support impersonation" };
        }
    }

    return await base.ProcessInteractionAsync(request, consent);
}

, , . , - , , ? , ?

+4
1

, -, Identity Server 3, . Identity Server , cookie. AuthorizationCodeReceived cookie .

, Identity, , , , , cookie, . - , , ,

0

Source: https://habr.com/ru/post/1688320/

More articles:


All Articles