ASP.NET Web API2 Framework 4.5.2 access app_metadata

adamaero · December 2, 2017, 7:42am

I can’t figure out how to access app_metadata property in my controller (ASP.NET WebAPI 2) .
I added CMP_KEY in app_metadata for all users…

Here is what I’ve tried so far:
//get userID from access_token(WORKS !):
var claimsIdentity = User.Identity as ClaimsIdentity;
string userID = claimsIdentity.Claims.FirstOrDefault(c => c.Type == System.IdentityModel.Claims.ClaimTypes.NameIdentifier).Value;
//get CMP_KEY from Auth0 app_metadata (NOT WORKING - ALWAYS Null)
string lc_cmp_key = claimsIdentity.Claims.FirstOrDefault(c => c.Type == “https://my_domain.com/CMP_KEY”)?.Value;
string lc_cmp_key2 = claimsIdentity.Claims.FirstOrDefault(c => c.Type == “CMP_KEY”)?.Value;
string lc_cmp_key3 = ClaimsPrincipal.Current.FindFirst(“CMP_KEY”)?.Value;

Any help appreciated !

jmangelo · December 4, 2017, 8:01pm

Have in mind that you should add the custom claims you want to be available in the access token through rules; it is not enough to add a property to the app_metadata. From the provided information it is not clear if you really setup the rule or not.

I tried with my local environment which is running ASP .NET Web API 2 in OWIN and it worked as expected.

In particular, if I added the following rule to the list of rules to be executed:

function (user, context, callback) {
  context.accessToken"https://example.com/CMP_KEY"] = "CMP01";
  
  callback(null, user, context);
}

Proceeded to perform an end-user login that requested an access token for my API (used a resource owner password credentials grant for simplicity) I obtained an access token with this payload:

{
  "https://example.com/CMP_KEY": "CMP01",
  "iss": "https://[your_domain].auth0.com/",
  "sub": "auth0|5a2532444778270fa",
  "aud": "https://dotnetowinapi.example.com",
  "iat": 1512387660,
  "exp": 1512474060,
  "azp": "kPtiQTNwnhwqEwYFQ2NFtfUiIG",
  "scope": "read:values create:values",
  "gty": "password"
}

Finally, after configuring the API to process the access token issued by my Auth0 service and adding the authorize attribute to my controller I was able to access my custom claim using:

string key = ClaimsPrincipal.Current.Claims.FirstOrDefault(c => c.Type == "https://example.com/CMP_KEY")?.Value;