Skip to content

Beware in ASP.NET Core 2.0: Claims transformation might run multiple times

August 30, 2017

In ASP.NET Core, you can add a claims transformation service to your application, as such:

public void ConfigureServices(IServiceCollection services)
{
   services.AddMvc();
   services.AddAuthentication(options=>
   {
      options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
   }).AddCookie();

   services.AddTransient<IClaimsTransformation, ClaimsTransformer>();
}

And then your ClaimsTransformer might look like this:

class ClaimsTransformer : IClaimsTransformation
{
   public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
   {
     ((ClaimsIdentity)principal.Identity).AddClaim(new Claim("now", DateTime.Now.ToString()));
     return Task.FromResult(principal);
   }
}

And that might be fine. But beware that this might be invoked multiple times. If an app has this code (perhaps in different locations in the app which might be likely):

await HttpContext.AuthenticateAsync();
await HttpContext.AuthenticateAsync();

Then each time AuthenticateAsync is called the claims transformer is invoked. So given the above implementation we’d be adding the “now” claim multiple times.

Moral of the story, claims transformation should be more defensive and/or return a new principal, as such:

class ClaimsTransformer : IClaimsTransformation
{
   public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
   {
      var id = ((ClaimsIdentity)principal.Identity);

      var ci = new ClaimsIdentity(id.Claims, id.AuthenticationType, id.NameClaimType, id.RoleClaimType);
      ci.AddClaim(new Claim("now", DateTime.Now.ToString()));

      var cp = new ClaimsPrincipal(ci);

      return Task.FromResult(cp);
   }
}

HTH

 

Demos — DevTeach Montreal, July 2017

July 7, 2017

The demos and slides for my sessions from DevTeach are here: https://1drv.ms/f/s!AjXKCyy1XZYBjyO7i8tyom6PhJM_ and the home page for IdentityServer is http://identityserver.io/.

Thanks for coming!

 

VS Live Redmond, August 2017

July 6, 2017

I’ll be doing a 1-day version of our Modern Security for ASP.NET Core workshop at VS Live in Redmond on August 14th, 2017. If you’re interested, you can get $500 off the conference 5-day price by using the code “RDSPK01” at registration.

I’m also doing two sessions: One on User Authentication for ASP.NET Core web applications, and another on Securing APIs in ASP.NET Core.

Hope to see you there!

 

Rhode Island OWASP, Tuesday June 20th, 2017

June 19, 2017

I’ll be speaking at my local OWASP chapter in Rhode Island tomorrow (Tuesday June 20th, 2017). The topic will be on (of course) modern security architecture with OpenID Connect.

Hope to see you there!

DevTeach, Montreal 2017

May 23, 2017

I’ll be speaking at DevTeach in Montreal this July, 2017. I am doing a one-day version of our security workshop, and two sessions (one on IdentityServer and another on securing SPA/JavaScript applications and APIs).

Hope to see you there!

 

DevSum Stockholm and NDC Oslo, 2017

April 27, 2017

I’ll be speaking at DevSum in Stockholm, Sweden in early June. I’ll be doing a one-day version of our modern ASP.NET Core security course, and a session on securing JavaScript/SPA and API applications.

The week after, I’ll be speaking at NDC in Oslo, Norway. Dominick and I will be doing a two-day version of our modern ASP.NET Core security course, and a session on authorization patterns for .NET applications.

Hope to see you there!

Demos — Boston Code Camp, March 2017

March 25, 2017

The demos and slides for my “Securing ASP.NET Core Web Applications and APIs using IdentityServer” session are here: https://1drv.ms/f/s!AjXKCyy1XZYBjnNA6hk-4Spii0jE.

Thanks for coming!