Dynamic Claims
When a client authenticates and obtains an access token or an authentication cookie, the claims in that token or cookie are not changed unless it re-authenticates. For most of the claims, that may not be a problem since claims are not frequently changing values. However, some claims may be changed and these changes should be reflected to the current session immediately. For example, we can revoke a role from a user and that should be immediately effective, otherwise user will continue to use that role's permissions until re-login to the application.
ABP's dynamic claims feature is used to automatically and dynamically override the configured claim values in the client's authentication token/cookie by the latest values of these claims.
How to Use
This feature is disabled by default. You should enable it for your application and use the Dynamic Claims middleware.
Beginning from the v8.0, all the startup templates are pre-configured and the dynamic claims feature is enabled by default. So, if you have created a solution with v8.0 and above, you don't need to make any configuration. Follow the instructions only if you've upgraded from a version lower than 8.0.
Enabling the Dynamic Claims
You can enable it by the following code:
public override void ConfigureServices(ServiceConfigurationContext context)
{
context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
{
options.IsDynamicClaimsEnabled = true;
});
}
This is typically done on the authentication server. In a monolith application, you will typically have a single application, so you can configure it. If you are using the tiered solution structure (where the UI part is hosted in a separate application) you will need to also set the RemoteRefreshUrl
to the Authentication Server's URL in the UI application. Example:
public override void ConfigureServices(ServiceConfigurationContext context)
{
context.Services.Configure<AbpClaimsPrincipalFactoryOptions>(options =>
{
options.IsDynamicClaimsEnabled = true;
options.RemoteRefreshUrl = configuration["AuthServerUrl"] + options.RemoteRefreshUrl;
});
}
The
RemoteRefreshUrl
is already configured inside methodsAddAbpOpenIdConnect
andAddAbpJwtBearer
.
The Dynamic Claims Middleware
Add the DynamicClaims
middleware to all the applications that performs authentication (including the authentication server):
public override void OnApplicationInitialization(
ApplicationInitializationContext context)
{
//...
app.UseDynamicClaims(); // Add this line before UseAuthorization.
app.UseAuthorization();
//...
}
How It Works
The DynamicClaims
middleware will use IAbpClaimsPrincipalFactory
to dynamically generate claims for the current user(HttpContext.User
) in each request.
There are three pre-built implementations of IAbpDynamicClaimsPrincipalContributor
for different scenarios:
IdentityDynamicClaimsPrincipalContributor
: Provided by the Identity module and generates and overrides the actual dynamic claims, and writes to the distributed cache. Typically works in the authentication server in a distributed system.RemoteDynamicClaimsPrincipalContributor
: For distributed scenarios, this implementation works in the UI application. It tries to get dynamic claim values in the distributed cache. If not found in the distributed cache, it makes an HTTP call to the authentication server and requests filling it by the authentication server.AbpClaimsPrincipalFactoryOptions.RemoteRefreshUrl
should be properly configure to make it running.WebRemoteDynamicClaimsPrincipalContributor
: Similar to theRemoteDynamicClaimsPrincipalContributor
but works in the microservice applications.
IAbpDynamicClaimsPrincipalContributor
If you want to add your own dynamic claims contributor, you can create a class that implement the IAbpDynamicClaimsPrincipalContributor
interface (and register it to the dependency injection system. ABP will call the ContributeAsync
method to get the claims. It better to use a kind of cache to improve the performance since that is a frequently executed method (in every HTTP request).
AbpClaimsPrincipalFactoryOptions
AbpClaimsPrincipalFactoryOptions
is the main options class to configure the behavior of the dynamic claims system. It has the following properties:
IsDynamicClaimsEnabled
: Enable or disable the dynamic claims feature.RemoteRefreshUrl
: Theurl
of the Auth Server to refresh the cache. It will be used by theRemoteDynamicClaimsPrincipalContributor
. The default value is/api/account/dynamic-claims/refresh
and you should provide the full URL in the authentication server, likehttp://my-account-server/api/account/dynamic-claims/refresh
.DynamicClaims
: A list of dynamic claim types. Only the claims in that list will be overridden by the dynamic claims system.ClaimsMap
: A dictionary to map the claim types. This is used when the claim types are different between the Auth Server and the client. Already set up for common claim types by default.
WebRemoteDynamicClaimsPrincipalContributorOptions
WebRemoteDynamicClaimsPrincipalContributorOptions
is the options class to configure the behavior of the WebRemoteDynamicClaimsPrincipalContributor
. It has the following properties:
IsEnabled
: Enable or disable theWebRemoteDynamicClaimsPrincipalContributor
.false
by default.AuthenticationScheme
: The authentication scheme to authenticate the HTTP call to the authentication server.