Reputation: 3320
Is to possible to expose Security Stamp from Asp.Net Core Identity as a claim for OIDC
I am using the IdentityServer4 with Asp.Net Core Identity and I'd like to check in my MVC client (which is connected to IdentityServer4) that User's SecurityStamp has changed.
My idea is expose the SecurityStamp like a claim in id_token and check it in my MVC client in some event in Cookie middleware.
If user's security stamp has changed then it will be necessary to login again.
I want to create this round trip especially because I'd like to check if user's roles have changed.
1) Is it good choise to expose SecurityStamp like claim?
2) Is there something how to check if user's security stamp is still valid in OIDC? Or it is necessary to build my own endpoint for this one? Like own API?
Upvotes: 2
Views: 801
Answers (1)
Reputation: 5264
We've done this and it works well. I return it as the st claim in the tokens and also via the user info endpoint so it's easy for clients to check if it's changed.
We then made it a requirement that (internal) clients periodically check via the userinfo endpoint that st hasn't changed. We also have a custom impersonation implementation and clients check for impersonation grant revocation the same way.
So in short - yes it's a good idea (IMO) and no you don't need to build an API - just expose it via the userinfo endpoint.
Upvotes: 2
Related Questions
- Add id_token as claim AspNetCore OpenIdConnect middleware
- Transforming Open Id Connect claims in ASP.Net Core
- OIDC together with Asp.net core Identity?
- Identity Server 4
- IdentityServer4 and Security Stamp
- Add Asp.net Core Identity to an API secured with Identity Server
- Add own claims when logging in with OIDC in ASP:NET Core
- .net core identity server 4 authentication handler for oidc
- Adding custom Claim for access in API with IdentityServer4
- Retrieving claims in asp.net core using open id connect server