Adding additional claims to Identity (#17394)

damienbod · scottaddie · web-flow · commit a70c1ff3870c · 2020-03-31T16:45:39.000-05:00
* Adding additional claims to Identity

* improve text

* Adding review fixes

* minor edits

* fix build warning

* fix invalid dev lang

* fix another invalid dev lang

Co-authored-by: Scott Addie &lt;10702007+scottaddie@users.noreply.github.com&gt;
diff --git a/aspnetcore/security/authentication/add-user-data.md b/aspnetcore/security/authentication/add-user-data.md
@@ -3,7 +3,7 @@ title: Add, download, and delete user data to Identity in an ASP.NET Core projec
 author: rick-anderson
 description: Learn how to add custom user data to Identity in an ASP.NET Core project. Delete data per GDPR.
 ms.author: riande
-ms.date: 01/28/2020
+ms.date: 03/26/2020
 ms.custom: "mvc, seodec18"
 uid: security/authentication/add-user-data
 ---
@@ -164,7 +164,7 @@ Update the *Areas/Identity/Pages/Account/Manage/Index.cshtml* with the following
 
 Update the *Areas/Identity/Pages/Account/Manage/Index.cshtml* with the following highlighted markup:
 
-[!code-chtml[](add-user-data/samples/2.x/SampleApp/Areas/Identity/Pages/Account/Manage/Index.cshtml?highlight=35-42)]
+[!code-cshtml[](add-user-data/samples/2.x/SampleApp/Areas/Identity/Pages/Account/Manage/Index.cshtml?highlight=35-42)]
 
 ::: moniker-end
 
@@ -188,7 +188,7 @@ Update the *Areas/Identity/Pages/Account/Register.cshtml* with the following hig
 
 Update the *Areas/Identity/Pages/Account/Register.cshtml* with the following highlighted markup:
 
-[!code-chtml[](add-user-data/samples/2.x/SampleApp/Areas/Identity/Pages/Account/Register.cshtml?highlight=16-25)]
+[!code-cshtml[](add-user-data/samples/2.x/SampleApp/Areas/Identity/Pages/Account/Register.cshtml?highlight=16-25)]
 
 ::: moniker-end
 
@@ -222,3 +222,77 @@ Test the app:
 * Register a new user.
 * View the custom user data on the `/Identity/Account/Manage` page.
 * Download and view the users personal data from the `/Identity/Account/Manage/PersonalData` page.
+
+## Add claims to Identity using IUserClaimsPrincipalFactory<ApplicationUser>
+
+Additional claims can be added to ASP.NET Core Identity by using the `IUserClaimsPrincipalFactory<T>` interface. This class can be added to the app in the `Startup.ConfigureServices` method. Add the custom implementation of the class as follows:
+
+```csharp
+public void ConfigureServices(IServiceCollection services)
+{
+	services.AddIdentity<ApplicationUser, IdentityRole>()
+		.AddEntityFrameworkStores<ApplicationDbContext>()
+		.AddDefaultTokenProviders();
+
+	services.AddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, 
+		AdditionalUserClaimsPrincipalFactory>();
+```
+
+The demo code uses the `ApplicationUser` class. This class adds an `IsAdmin` property which is used to add the additional claim.
+
+```csharp
+public class ApplicationUser : IdentityUser
+{
+	public bool IsAdmin { get; set; }
+}
+```
+
+The `AdditionalUserClaimsPrincipalFactory` implements the `UserClaimsPrincipalFactory` interface. A new role claim is added to the `ClaimsPrincipal`.
+
+```csharp
+public class AdditionalUserClaimsPrincipalFactory 
+		: UserClaimsPrincipalFactory<ApplicationUser, IdentityRole>
+{
+	public AdditionalUserClaimsPrincipalFactory( 
+		UserManager<ApplicationUser> userManager,
+		RoleManager<IdentityRole> roleManager, 
+		IOptions<IdentityOptions> optionsAccessor) 
+		: base(userManager, roleManager, optionsAccessor)
+	{}
+
+	public async override Task<ClaimsPrincipal> CreateAsync(ApplicationUser user)
+	{
+		var principal = await base.CreateAsync(user);
+		var identity = (ClaimsIdentity)principal.Identity;
+
+		var claims = new List<Claim>();
+		if (user.IsAdmin)
+		{
+			claims.Add(new Claim(JwtClaimTypes.Role, "admin"));
+		}
+		else
+		{
+			claims.Add(new Claim(JwtClaimTypes.Role, "user"));
+		}
+
+		identity.AddClaims(claims);
+		return principal;
+	}
+}
+```
+
+The additional claim can then be used in the app. In a Razor Page, the `IAuthorizationService` instance can be used to access the claim value.
+
+```cshtml
+@using Microsoft.AspNetCore.Authorization
+@inject IAuthorizationService AuthorizationService
+
+@if ((await AuthorizationService.AuthorizeAsync(User, "IsAdmin")).Succeeded)
+{
+	<ul class="mr-auto navbar-nav">
+		<li class="nav-item">
+			<a class="nav-link" asp-controller="Admin" asp-action="Index">ADMIN</a>
+		</li>
+	</ul>
+}
+```
