Net Core and I've been experimenting with creating a small Blazor Server app, with a view to moving some of our larger in-house applications (currently in .Net WebForms) to it. We use a mix of windows authentication (users can only access application if they are on our domain) and roles that come from a UserRoles table in the db.I've managed to create a Blazor server app that uses windows authentication and makes use of an IClaimsTransformation class to fetch the roles for the user from the db and add them as claims. All seems to be working well and I can use the roles in authorizing content.My understanding of how this works is that each time the app needs to apply an Authorization rule it would end up making a call via the IClaimsTransformation, which in turn would call my method that queries the db for the user roles.
However when debugging my app I've noticed that the method within my IClaimsTransformation class is called several times on starting up the app (making a call to the db each time) but then is never called again. When I go to sections of the app that have authorization rules they are enforced, so i presume the roles are being cached by default? (I haven't set up any caching)
This means that if a user's roles are changed whilst they are using the app, the claims held in the app are not updated. Only way to force the new roles to take effect is to close and reopen app, which causes the method in the IClaimsTransformation class to be called several times and the new roles fetched.
Really i'm just curious as to whether this behaviour I am seeing is what is expected for my scenario or if I've missed something in my configuration of this.
My IClaimsTransformation class:
public class ClaimsTransformer : IClaimsTransformation { private readonly UserProfileService _userProfileService; public ClaimsTransformer(UserProfileService userProfileService) { _userProfileService = userProfileService; } public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal) { // User is not authenticated so just return right away if (principal.Identity?.IsAuthenticated is false) { return principal; } ClaimsIdentity claimsIdentity = new ClaimsIdentity(); //below calls method in userProfileService that returns list of roles for the given username List<Role> roleList = (await _userProfileService.GetRolesForUserNameAsync(principal.Identity.Name.ToList(); foreach (Role r in roleList) { if (!principal.HasClaim(claim => claim.Type == r.RoleName)) { claimsIdentity.AddClaim(new Claim(claimsIdentity.RoleClaimType, r.RoleName)); } } principal.AddIdentity(claimsIdentity); return principal; }Relevant parts of Program.cs:
builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) .AddNegotiate();builder.Services.AddAuthorization(options =>{ // By default, all incoming requests will be authorized according to the default policy. options.FallbackPolicy = options.DefaultPolicy; }); builder.Services.AddTransient<IClaimsTransformation, ClaimsTransformer>();Authorize views used in pages:
<AuthorizeView Roles="Admin"><Authorized><p>You are an Admin</p></Authorized><NotAuthorized><p>You are not an Admin</p></NotAuthorized> </AuthorizeView>