tsai
/
abp
mirror of https://github.com/abpframework/abp.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Open Source Web Application Framework for ASP.NET Core
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32499 Commits
261 Branches
285 Tags
2.0 GiB
 
 
 
 
 
 
Tree: 70ae1f3c43
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '70ae1f3c43'
${ noResults }
abp/docs/en/Dynamic-Claims.md

3.5 KiB
Raw Blame History

Dynamic Claims

What is Dynamic Claims and Why do we need it

We use claims-based authentication in ASP.NET Core, It will be store the claims in the cookie or token. But the claims are static, it will be not change after the user re-login. If the user changed its username or role, we still get the old claims.

The Dynamic Claims feature is used to dynamically generate claims for the user in each request. You can always get the latest user claims.

How to use it

This feature is disabled by default. You can enable it by following code:

public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
    {
        options.IsDynamicClaimsEnabled = true;
    });
}

If you are using the tiered solution you need to set the RemoteRefreshUrl to the Auth Server url in the UI project.

public override void ConfigureServices(ServiceConfigurationContext context)
{
    context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
    {
        options.IsDynamicClaimsEnabled = true;
        options.RemoteRefreshUrl = configuration["AuthServerUrl"] + options.RemoteRefreshUrl;
    });
}

Then add the DynamicClaims middleware.

public override void OnApplicationInitialization(ApplicationInitializationContext context)
{
    // Add this line before UseAuthorization.
    app.UseDynamicClaims();
    app.UseAuthorization();
    //...
}

How it works

The DynamicClaims middleware will use IAbpClaimsPrincipalFactory to dynamically generate claims for the current user(HttpContext.User) in each request.

There are two implementations of IAbpDynamicClaimsPrincipalContributor for different scenarios.

IdentityDynamicClaimsPrincipalContributor

This implementation is used for the Monolithic solution. It will get the dynamic claims from the IUserClaimsPrincipalFactory and add/replace the current user claims. It uses cache to improve performance. the cache will be invalidated when the user entity changed.

RemoteDynamicClaimsPrincipalContributor

This implementation is used for the Tiered solution. It will get the dynamic claims from the cache of the Auth Server. It will call the RemoteRefreshUrl of the Auth Server to refresh the cache when the cache is invalid.

IAbpDynamicClaimsPrincipalContributor

If you want to add your own dynamic claims contributor, you can a class that implement the IAbpDynamicClaimsPrincipalContributor interface. The framework will call the ContributeAsync method when get the dynamic claims.

It better to use cache to improve performance.

AbpClaimsPrincipalFactoryOptions

  • IsDynamicClaimsEnabled: Enable or disable the dynamic claims feature.
  • RemoteRefreshUrl: The url of the Auth Server to refresh the cache. It will be used by the RemoteDynamicClaimsPrincipalContributor. The default value is /api/account/dynamic-claims/refresh.
  • DynamicClaims: A list of dynamic claim types, `DynamicClaims contributor`` will only handle the claim type in this list.
  • ClaimsMap: A dictionary to map the claim types. This is used when the claim types are different between the Auth Server and the client. Already set up for common claim types by default

See Also