Adding Custom Claims To Azure Active Directory Web App Login

Question

I have managed to change my .NET Core 6 Razor Pages app to login using Azure Active Directory by following this https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-sign-in?tabs=aspnetcore

The trouble is that I need to add some custom claims to the login, the details of which are in the database (SQL Server), and I do not know how to go about that other than to store the claims in memory.

Previously, I used the following code in my login page.

public ActionResult OnPostLogin(string returnUrl = null)
        {
            returnUrl = returnUrl ?? Url.Content("~/");

            if (ModelState.IsValid)
            {
                if (_userRepository.GetUserValid(Input.Username, Input.Password))
                {
                    var claimsIdentity = new ClaimsIdentity(_loginClaimRepository.ClaimList(Input.Username), CookieAuthenticationDefaults.AuthenticationScheme);
                    var result = HttpContext.SignInAsync(
                        CookieAuthenticationDefaults.AuthenticationScheme,
                        new ClaimsPrincipal(claimsIdentity),
                        new AuthenticationProperties
                        {
                            IsPersistent = true,
                            ExpiresUtc = new DateTimeOffset(DateTime.UtcNow.AddHours(8)),
                            AllowRefresh = true
                        });

                    if (result.IsCompletedSuccessfully)
                    {
                        return LocalRedirect(returnUrl);
                    }
                    else
                    {
                        ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                    }
                }
                else
                {
                    ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                }
            }

            return Page();
        }

I wonder if there is a standard way to intercept the login process and add some custom claims?

could you pls let us know why/where you want to add the custom claims, and how you prepare to use it? Can I understand it as, after sign in you can get the username, then you want to query the database and get some related information and store them in some where? — Tiny Wang, Jan 10 '23 at 02:45
If you just want to add claims for id token, you may take a look at [this case](https://learn.microsoft.com/en-us/answers/questions/417758/azure-ad-add-custom-claim-to-access-token.html). — Tiny Wang, Jan 10 '23 at 09:20
Previously, I was adding the custom claims at login so they were stored in the cookie. The claims stored things like the user's LoginID, AccessLevel, DeletePremission etc. These permissions are all stored in the database with a screen which can modify them. Some of these could manually be added in Azure, but others like LoginID and AccessLevel could ideally be read from the database. I wondered if upon logging in I could add some claims in addition to the ones in Azure. — Ed Sansbury, Jan 10 '23 at 12:20
This looks a bit like what I was trying to do https://stackoverflow.com/questions/74233407/maui-aad-authentication-claimsprincipal-with-isauthenticated-always-false but I am using Razor Pages. Thanks for your interest. I will take a look at the link you sent. — Ed Sansbury, Jan 10 '23 at 12:21

score 0 · Accepted Answer · answered Jan 10 '23 at 12:10

I registered an app in azure active directory by clicking new registration:

enter image description here

Added the name and clicked on azure register. Image for reference:

enter image description here

After app registration I go to manifest and updated the app roles. Image for reference:

enter image description here

added app roles in Json format:

"appRoles": [

{

"allowedMemberTypes": [

  

"Application"

],

"description": "Consumer apps have access to delete consumer data.",

"displayName": "webapp Delete role",

"id": "5e491592-0270-40cb-b70d-2f67b3ce0910",

"isEnabled": true,

"value": "webapp.delete"

},

{

"allowedMemberTypes": [

"Application"

],

"description": "Consumer apps have access to update consumer data.",

"displayName": "webapp Update role",

"id": "d7395cab-0ae9-41c1-a5cd-e945afca8465",

"isEnabled": true,

"value": "webapp.update"

},

{

"allowedMemberTypes": [

"Application"

],

"description": "Consumer apps have access to write consumer data.",

"displayName": "webapp Writer role",

"id": "37605316-22ca-4587-8a98-56e31ba1a2b0",

"isEnabled": true,

"value": "webapp.write"

},

{

"allowedMemberTypes": [

"Application"

],

"description": "Consumer apps have access to read consumer data.",

"displayName": "webapp Reader role",

"id": "12eb6844-6ff4-4731-a349-d5f803cfd6c5",

"isEnabled": true,

"value": "webapp.read"

}

],

Image for reference:

enter image description here

Saved the update of manifest by clicking save button. Set the application Id URI. This value will be used as the Scope parameter when requesting an OAuth token for the Client App. Image for reference:

enter image description here

In this way we can add custom claims app which is registered in active directory.

Sorry I have taken a while to read this. Would I be right in saying that this method would involve adding all of the claims via the Azure interface? I have lots of claims for each user in my database and ideally wanted to add them during the login process as I was doing previously. This looks like what I am trying to do https://stackoverflow.com/questions/74233407/maui-aad-authentication-claimsprincipal-with-isauthenticated-always-false i.e. programmatically add some claims. I wonder how to add the claims via code and ideally make them persist in a cookie, or in cache at worst. Thank you. — Ed Sansbury, Jan 13 '23 at 16:14
The above put me on the right track, and the following video explained the rest. https://www.youtube.com/watch?v=LRoc-na27l0 — Ed Sansbury, Jun 27 '23 at 13:25

Adding Custom Claims To Azure Active Directory Web App Login

1 Answers1