Hello All,
I have a WCF based service. I want to access roles inside WCF Service. So we will be using User Management API to get roles. But to hit the end point to get roles, I need to have access to user id of the logged on user. I want to modify claims so that when I access the claims on WCF side, I should be able to access that. I can use http header but would like to know, if there is a way. I have tried action but I cannot acccess userId in the method. Any input would be helpfull.
Hey there @SiddarthaPal welcome to the community!
Does your WCF service have access to the user’s ID and/or access token? The userId is just the sub claim of either token.
I have passed access token from WCF Client through http header. On WCF client side, I have access to email at the moment. So I have used API to get user ID from user managament api and passing through header. This is my plan B which I have implemented (Plan A would be better). So using user ID, on WCF service side I will be able to access roles and permissions.
Thanks for confirming - You should be able to get permissions as a claim in the access token directly and therefore avoid the need to make a any extra API call.
It’s worth noting that it is common practice to infer roles from permissions - That is once you have permissions in a user’s access tokens it shouldn’t be necessary to also get the roles.
You can also add roles directly to the user’s access token or ID token as a custom claim by way of an Action:
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://my-app.example.com';
if (event.authorization) {
api.accessToken.setCustomClaim(namespace, event.authorization.roles)
api.idToken.setCustomClaim(namespace, event.authorization.roles)
}
}
Please note WCF client is not configured on oAuth0 Portal.
Inside WCF service we are not able to access roles in claims.
var claimsPrincipal = tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
var claims = claimsPrincipal.Claims;
in variable claims, we are not able to access the roles.
This is one action we have:-
exports.onExecutePostLogin = async (event, api) => {
const roleClaim = ‘http://schemas.microsoft.com/ws/2008/06/identity/claims/role’;
const emailClaim=‘http://mca.ca/2023/identity/claims/email’;
if (event.authorization) {
api.idToken.setCustomClaim(roleClaim, event.authorization.roles);
api.idToken.setCustomClaim(emailClaim, event.user.email);
api.accessToken.setCustomClaim(roleClaim, event.authorization.roles);
}
};
The following action is machine-to-machine
exports.onExecuteCredentialsExchange = async (event, api) => {
api.accessToken.setCustomClaim(‘ipAddress’, event.request.ip);
api.accessToken.setCustomClaim(‘clientName’, event.client.name);
// accessingle in claims on back end
console.log(‘ipAddress’, event.request.ip);
// Coming in logs
console.log(‘MD::–>’,event.client.metadata.REQUIRE_MFA);
console.log('mfa::-->',event.client.metadata.mfa);
};
We dont have access to roles here.
Let me share the required:-
We have Roles on Portal and Roles have associated Permissions. And roles are attached to users. Once we hit the WCF end point, we want to have authorization working on WCF side based on the configuration I shared in the start. What we are planning is we will access roles and permissions and we will have a mapping in XML file on WCF side and we will decide if access should be there or not. For e.g I have Admin Role and with that I have permission called read . GetToke is a method on WCF side. So WCF side we will build our logic, if a user in is role of Admin and has permission called “read” allow GetToken method to process the request else throw exception “Not Authorized”. Let me know your opinion on this.
Any response on this?