Johan B Johan B - 6 days ago 5
ASP.NET (C#) Question

IdentityServer3 change subjectid/username during partial login

We're implementing our own SSO provider using IdentityServer3. We're almost done except that we have the requirement where when the user logs in for the first time they will have to change their username, password and supply other information. The problem lies with the change of the username: it needs to also change the subject id so when the partial login finishes the client also receives the new username, not the old one.

So what we need is a way, in the partial login, to change the

sub
claim. Searching the internet for this problem didn't give my any useful results. I've tried to change the claim but I'm unable to make it persist beyond the post request. I've done the following:

var ctx = Request.GetOwinContext();
var authentication = await ctx.Authentication.AuthenticateAsync(Constants.PartialSignInAuthenticationType);

authentication.Identity.RemoveClaim(identityResult.Identity.FindFirst("sub"));
authentication.Identity.AddClaim(new Claim("sub", model.NewUsername));


This, unfortunately, doesn't work because the claims I here have are just copies. What is the correct way to change the subject?

Answer

I've just discovered while looking in the IdentityServer3.Core.Extensions.OwinEnvironmentExtensions class, the same extensions class that hosts the GetIdentityServerPartialLoginAsync() method that there is a method named UpdatePartialLoginClaimsAsync(). This method accepts an enumerable of claims so I gave it my new sub claim, but this caused some unknown error (I'm not sure why), but when I gave it all the previous claims with the sub claim replaced everything worked as I wanted too.

var partialLogin = await OwinContext.Environment.GetIdentityServerPartialLoginAsync();
partialLogin.RemoveClaim(identityResult.Identity.FindFirst("sub"));
partialLogin.AddClaim(new Claim("sub", model.NewUsername));
await OwinContext.Environment.UpdatePartialLoginClaimsAsync(partialLogin.Claims);

The code above proved to be my solution.

Comments