I have an MVC app with an OData API (both .NET Framework), and they support multiple Authentication/Identity providers. The issue is that the claim types are inconsistent in certain scenarios -- e.g., sub vs uid for the user id. Is there a recommended approach in .NET Framework to provide claim type mapping capabilities?

I'm thinking of creating an ActionFilter and passing in an ILookup or something during startup which I'm confident will work, but I'm just wondering if there's a better way to handle it.

Thanks

CodePudding user response：

Found my solution.

I'm using custom ClaimsAuthenticationManager (System.Security.Claims) implementations in order to remap claim types and add custom claims when needed:

public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
    {
        if (incomingPrincipal.Identity.IsAuthenticated)
        {
            ClaimsIdentity identity = (ClaimsIdentity)incomingPrincipal.Identity;

            AddUserIdClaim(identity);
            AddUserNameClaim(identity);
            AddUserEmailClaim(identity);
            RemapGroups(identity);
        }

        return incomingPrincipal;
    }

And it's used in Global.asax.cs:

    protected void Application_PostAuthenticateRequest()
    {
        ClaimsPrincipal currentPrincipal = ClaimsPrincipal.Current;
        CustomClaimsManager customClaimsTransformer = new CustomClaimsManager();
        ClaimsPrincipal tranformedClaimsPrincipal = customClaimsTransformer.Authenticate(string.Empty, currentPrincipal);
        Thread.CurrentPrincipal = tranformedClaimsPrincipal;
        HttpContext.Current.User = tranformedClaimsPrincipal;
    }