CODEWITHSUNDEEP
openid-connectasp.net-core-2.1httpcookie
user7730840
user7730840

Reputation:

Store Claims into COOKIE in ASP.NET CORE 2.1

I need to authenticate user from Identity Provider using OpenID connect after successful authentication I need to store the claims of user into cookies.

But I don't find the append method in Request.Cookies that takes three arguments, I only can pass keyvaluepair as signle argument.

Here is my code

public IActionResult Login(string provider, string returnUrl = null)
        {
             Challenge(new AuthenticationProperties { RedirectUri = returnUrl ?? "/" }, provider);
            Request.Cookies.Append("key", "value", new CookieOptions());

            return View();

 }

I also need to confirm that where should I write the code for COOKIE storage so that it can't be stored again once authenticated successfully.

Here is my code for Authentication

services.AddAuthentication(options =>
            {
                options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;

            }).AddOpenIdConnect(options =>
                {
                    options.Authority = "https://accounts.google.com";
                    options.ClientId = _clientID;
                    options.ResponseType = "code id_token";
                    options.Scope.Add("openid");
                    options.Scope.Add("profile");
                    options.Scope.Add("email");
                    options.SaveTokens = true;
                    options.ClientSecret = _clientSecret;
                    //options.GetClaimsFromUserInfoEndpoint = true;
                    options.CallbackPath = "/home/index";
                    //options.SignedOutRedirectUri = redirectUrl;

                            options.Events = new OpenIdConnectEvents()
                            {
                                // handle the logout redirection 
                                OnRedirectToIdentityProviderForSignOut = context =>
                                {
                                    context.Response.Redirect(redirectUrl);
                                    context.HandleResponse();

                                    return Task.CompletedTask;
                                }
                            };


                        }).AddCookie(options => {
                            options.LoginPath = "/auth/signin";

                        });

thanks in advance.

Upvotes: 0

Views: 2377

Answers (1)

Anders Abel
Anders Abel

Reputation: 69250

Don't store the claims in a cookie yourself, because the end user can modify the cookie. What if I modify the cookie and add a claim Role, Administrator (or whatever concept you have in your application to represent access rights).

Use the provided cookie handler to store the claims after Authentication. That is how the model is meant to be used. The cookie handler will encrypt and sign the contents to protect it from tampering.

Update after Edit

With your code, you are already storing the result of the authentication in a Cookie, thanks to DefaultSigninScheme.

You should have the resulting claims available in the User supplied in subsequent requests.

Upvotes: 2

Related Questions