Quick Tip - Linking User Identity to oAuth Tokens in WebAPI

Published Feb 2, 2015 (10 years ago)
Danger icon
The last modifications of this post were around 10 years ago, some information may be outdated!

In my Zurb For Applications .Net Scaffolding, I setup a base .Net WebAPI project that uses oAuth tokens for a better form of authentication in a single page application model. Since the token provides any details about the user that you want to encode, here’s a quick trick to expose the User.Identity.Name and User.IsInRole methods to improve the authentication and authorization capabilities within your app.

The trick comes in the GrantResourceOwnerCredentials method that is used to verify the credentials and add return the oAuth context for the user logging in. Typically you see a new claim record created as such:

var identity = new ClaimsIdentity(context.Options.AuthenticationType); 
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));

The ClaimsIdentity constructor has several signatures available, and one that allows you to define which claim fields are to be used for the Identiy.Name and role properties for the object. What we can do is update the constructor to look something like this:

var identity = new ClaimsIdentity(context.Options.AuthenticationType, "id", "role"); 
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("username", context.UserName));
identity.AddClaim(new Claim("id", userId));
identity.AddClaim(new Claim("role", "user"));

From here you can see that I’ve identified the “id” claim and the “role” claim to be used. Now, after the user is logged in and you are processing a request from the WebApi, you can simply use:

var userId = User.Identity.Name;

…and the Id of the authenticated is available to you. This allows you to run user targeted requests and not have to worry about passing their unique Id in plain text, since it is encoded (and properly decoded) within the authentication token we are already using. In addition, executing:

var isUser = User.IsInRole(“user”);

…will return true since we’ve properly mapped the user role. Hope this helps!