How to define authorization policy? - asp.net-core-webapi

I get some idea about the policy based authorization in .NET 6.0 based on Microsoft article.
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0
The article mentioned about to hard code the policy in the authorization attribute. I have REST API' and I want to assign permissions to them in some configuration for example in file and how can I can define the policy in the configuration what ingredients it should include so that I can load the policy from the file and then apply on startup to the authorization attribute. How to apply it to authorization attribute I see the following link Bind AuthorizationPolicy to Controller/Action without using AuthorizeAttribute
I am here only interested how I can define the polices in the configuration file(appsettings.json) what template or fields it should have. I know It will move it to database later but I need it for the proof of concepts. I am not sure do we really need to define the policy or we can define the permissions per API and then create policy automatically based on the API permission? Any help in this context will be appreciated.
Regards,
IK

I tried as below :
var policylist = new List<AuthOption>();
Configuration.GetSection("PolicyList").Bind(policylist);
services.AddAuthorization(options => {
policylist.ForEach(x =>
{
options.AddPolicy(x.PolicyName, policy =>
{
x.Requirement.ForEach(y =>
{
Type type = Type.GetType(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType.Namespace+"."+y.RequirementName);
if (y.Inputs!=null)
{
var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type,y.Inputs);
policy.AddRequirements(requirement);
}
else
{
var requirement = (IAuthorizationRequirement)Activator.CreateInstance(type);
policy.AddRequirements(requirement);
}
});
});
});
});
added some class:
public class AuthOption
{
public AuthOption()
{
Requirement = new List<Requirement>();
}
public string PolicyName { get; set; }
public List<Requirement> Requirement { get; set; }
}
public class Requirement
{
public string RequirementName { get; set; }
public string Inputs { get; set; }
}
public class MinimumAgeRequirement : IAuthorizationRequirement
{
public MinimumAgeRequirement(string minimumAge) =>
MinimumAge = minimumAge;
public string MinimumAge { get; }
}
public class AnotherRequirement : IAuthorizationRequirement
{
}
in appsettings.json:
"PolicyList": [
{
"PolicyName": "policy1",
"Requirement": [
{
"RequirementName": "MinimumAgeRequirement",
"Inputs": "21"
},
{
"RequirementName": "AnotherRequirement"
}
]
},
{
"PolicyName": "policy2",
"Requirement": [
{
"RequirementName": "AnotherRequirement"
}
]
}
]
Result:

Related

How to get API response key values in PascalCase as same as the object variable name in .net core 3.1 only for one controller or one function?

This is my Object Class
public class MyObject
{
Public string Var1 { get; set; }
Public string Var2 { get; set; }
}
This is a get function of my controller class
[HttpGet]
public IActionResult GetObjList()
{
return Ok(new GenericModel<List<MyObject>>
{
Data = myobjectList
});
}
The GenericModel contains
public class GenericModel<T>
{
public T Data { get; set; }
public string[] Errors { get; set; }
}
My expected result look like this
{
"Data": [
{
"Var1": "val1",
"Var2": "val2"
}
]
}
But I'm getting this,
{
"data": [
{
"var1": "val1",
"var2": "val2"
}
]
}
I just want to get the output key values as same as the object variables, (in PascalCase)
I tried the solutions to add "AddJsonOptions" into the Startup.cs but they did not work. And I want the response as Pascal case, only for this controller requests, not in all requests including other controllers. (Sounds odd, but I want to try it) Are there any solutions? Is is impossible?
There may be another solution but I suggest building ContentResult yourself with JsonSerializer:
[HttpGet]
public IActionResult GetObjList()
{
return this.Content(JsonSerializer.Serialize(yourResult, yourJsonOption), "application/json");
}
For Pascal Case serialization use this code in Startup.cs:
services.AddControllers().AddJsonOptions(options =>
{
options.JsonSerializerOptions.PropertyNamingPolicy= null;
);

Mix option pattern with connection strings

I would like to create a settings class for Event Hubs as follows:
public class EventHubsOptions
{
public string Name { get; set; }
public string ConsumerGroup { get; set; }
public string ConnectionString { get; set; }
}
Which I would then configure with the following:
services.Configure< EventHubsOptions >( Configuration.GetSection( "EventHubs" ) );
But that means I need to write my appsettings file as follows:
"EventHubs": {
"Name": "EventHubName",
"ConsumerGroup": "consumergroup",
"ConnectionString": "xxx"
}
Is there a way that would allow me to put the connection string within the ConnectionsStrings section of the appsettings? Something like this:
{
"EventHubs": {
"Name": "EventHubName",
"ConsumerGroup": "consumergroup"
},
"ConnectionStrings": {
"DefaultConnection": "xxx",
"EventHubsConnection" : "xxx",
"StorageConnection": "xxx"
}
}
How would I configure the EventHubsOptions class during startup?
You can try this way -
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.Configure<EventHubsOptions>(Configuration.GetSection("EventHubs"));
// These are run after all Configure<TOptions>
services.PostConfigure<EventHubsOptions>(o =>
{
o.ConnectionString = Configuration.GetConnectionString("EventHubsConnection");
});
}
The PostConfigure can be used to override the configuration. More about it is available here.
Basically, we are overriding ConnectionString value after all configuring of TOptions is finished.

ASP.NET Core - Dynamic Policy Based Authorization

I'm developing a application that's relatively large. I want to implement permission level authorization in my application. I've developed this code which works for one permission but doesn't work for multiple permission.
Here is sample code:
Below enum indicates features that my application will provide:
public enum CppFeature
{
NotDefined = 0,
DistributorManagement = 1,
ChannelPartnerManagement = 2,
}
Below code indicates what permissions are supported in my application:
public enum CppPermission
{
NotDefined = 0,
View = 1,
Invite = 2,
Deactivate = 3,
List = 4,
Edit = 5,
Create = 6,
Approve = 7,
}
Finally a mapping is created in database which says which permissions are applicable in which feature...
|------------------------|------------------|
| Feature | Permission |
|------------------------|------------------|
| DistributorManagement | View |
|------------------------|------------------|
| DistributorManagement | Invite |
|------------------------|------------------|
|ChannelPartnerManagement| Create |
|------------------------|------------------|
A user then gets the ability to create a dynamic role and select permission from the mapping.
Later in my code, I've configured custom policies as below:
public class CppFeaturePermissionCheck
{
public CppFeature Feature { get; set; }
public List<CppPermission> Permission { get; set; }
}
public class CustomPolicyProvider : IAuthorizationPolicyProvider
{
public CustomPolicyProvider (IOptions<AuthorizationOptions> options)
{
DefaultPolicyProvider = new DefaultAuthorizationPolicyProvider(options);
}
public DefaultAuthorizationPolicyProvider DefaultPolicyProvider { get; }
public Task<AuthorizationPolicy> GetPolicyAsync(string policyName)
{
if (!string.IsNullOrEmpty(policyName))
{
var policy = new AuthorizationPolicyBuilder();
policy.AddRequirements(new CppAuthorizeRequirement(JsonConvert.DeserializeObject<List<CppFeaturePermissionCheck>>(policyName)));
return Task.FromResult(policy.Build());
}
return DefaultPolicyProvider.GetPolicyAsync(policyName);
}
public Task<AuthorizationPolicy> GetDefaultPolicyAsync()
{
return DefaultPolicyProvider.GetDefaultPolicyAsync();
}
}
public class CppAuthorizeRequirement : IAuthorizationRequirement
{
public CppAuthorizeRequirement(List<CppFeaturePermissionCheck> userPermission)
{
UserPermissions = userPermission;
}
public List<CppFeaturePermissionCheck> UserPermissions { get; set; }
}
public class CppAuthorizeAttribute : AuthorizeAttribute
{
public CppAuthorizeAttribute(CppFeature feature, CppPermission permission)
: this(new List<CppFeaturePermissionCheck>()
{
new CppFeaturePermissionCheck()
{
Feature = feature,
Permission = new List<CppPermission>()
{
permission,
},
},
})
{
}
// This ctor doesn't work since attributes can only have primitive types as parameter.
public CppAuthorizeAttribute(List<CppFeaturePermissionCheck> featurePermissions)
{
Policy = JsonConvert.SerializeObject(featurePermissions, Formatting.None);
}
}
[CppAuthorize(CppFeature.ChannelPartnerManagement, CppPermission.View)]
[HttpPost("channelpartnerlist")]
public async Task<IActionResult> PartnerList([FromBody]ChannelPartnerListRequestModel_V1 model)
{
try
{
//some work.
}
catch (CPPException ioe)
{
}
}
The problem is:
1. The attribute doesn't support parameter type of Array, List or Dictionary which would allow me to specify multiple permissions
Is there a better way by which I can specify whether a specific action is supported for specific permission in specific feature?

ASP.NET Core policy base Authorize with RequireUser with string array

I am creating policy base authorization and would like to allow multiple users in one policy to access webpage.
I created policy like shown below in start up file. Question, How can I use multiple usernames in one policy? I looked at the method for.RequireUserName, it is only accepting string username.
Policy name AdminServiceAccount is mostly I am interested in to add multiple users. If I use param .RequireUserName("DOMAIN\\USER1,DOMAIN\\USER2") will it work? I don't think so, but wanted to check if there is an alternative way.
services.AddAuthorization(
option =>
{
option.AddPolicy("Admin", policy => policy.RequireRole("Domain\\GroupName"));
option.AddPolicy("SuperAdminUser", policy => policy.RequireUserName("DOMAIN\\SuperAdminUser"));
option.AddPolicy("AdminServiceAccount", policy => policy.RequireUserName("DOMAIN\\USER1"));
}
);
UPDATE 1:
UPDATE 2:
So in my Controller, I added [Authorize(Policy = "UserNamesPolicy")] as show below:
[Authorize(Policy = "UserNamesPolicy")]
public class ServersController : Controller
{
private readonly ServerMatrixDbContext _context;
public ServersController(ServerMatrixDbContext context)
{
_context = context;
}
// GET: Servers
public async Task<IActionResult> Index()
{
// Some code here
return View();
}
}
Here is my startup file:
services.AddAuthorization(
option =>
{
option.AddPolicy("UserNamesPolicy",
policy => policy.Requirements.Add(new UserNamesRequirement("DOMAIN\\USER1", "DOMAIN\\USER2"))
);
}
);
services.AddSingleton<IAuthorizationHandler, UserNamesRequirement();
For .AddSingleTon in startup file I get below error:
Here is the handler class:
public class UserNamesHandler : AuthorizationHandler<UserNamesRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserNamesRequirement requirement)
{
var userName = context.User.FindFirst(ClaimTypes.NameIdentifier).Value;
if (requirement.Users.ToList().Contains(userName))
context.Succeed(requirement);
return Task.FromResult(0);
}
}
Here is is the UserNamesRequirement class:
public class UserNamesRequirement : IAuthorizationRequirement
{
public UserNamesRequirement(params string[] UserNames)
{
Users = UserNames;
}
public string[] Users { get; set; }
}
UPDATE 3: SOLVED!!!!
Here are few changes that were added from update 2:
In UserNameshandler class changed var userName to get values from context.User.Identity.Name;
public class UserNamesHandler : AuthorizationHandler<UserNamesRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserNamesRequirement requirement)
{
// var userName = context.User.FindFirst(ClaimTypes.NameIdentifier).Value;
var userName = context.User.Identity.Name;
if (requirement.Users.ToList().Contains(userName))
context.Succeed(requirement);
return Task.FromResult(0);
}
}
In StartUp class fixed from services.AddSingleton<IAuthorizationHandler, UserNamesRequirement>(); to services.AddSingleton<IAuthorizationHandler,UserNamesHandler>();
Thanks to Gevory. :)
public class UserNamesHandler : AuthorizationHandler<UserNamesRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserNamesRequirement requirement)
{
var userName = context.User.Identity.Name;
if(requirement.UserNames.ToList().Contains(userName))
context.Succeed(requirement);
return Task.CompletedTask; // if it does not compile use Task.FromResult(0);
}
}
public class UserNamesRequirement : IAuthorizationRequirement
{
public UserNamesRequirement(params string[] userNames)
{
UserNames = userNames;
}
public string[] UserNames { get; set; }
}
in startup.cs add the following
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("UserNamesPolicy",
policy => policy.Requirements.Add(new UserNamesRequirement("ggg","dsds")));
});
services.AddSingleton<IAuthorizationHandler, UserNamesHandler>()
}
Just for anyone coming to this who wants a different approach, I battled with trying to get the UserNamesHandler to register properly, to no avail. So I solved this in a different way:
static readonly string[] myUserList = { "user1", "user2", "user3" };
options.AddPolicy( "MyNameListPolicy",
policy => policy.RequireAssertion(
context => myUserList.Contains( context.User.Identity.Name ) ) );
This worked fine for me.

EntityType 'IdentityUserLogin' has no key defined. Define the key for this EntityType

I am working with Entity Framework Code First and MVC 5. When I created my application with Individual User Accounts Authentication I was given an Account controller and along with it all the required classes and code that is needed to get the Indiv User Accounts authentication to work.
Among the code already in place was this:
public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
{
public ApplicationDbContext() : base("DXContext", throwIfV1Schema: false)
{
}
public static ApplicationDbContext Create()
{
return new ApplicationDbContext();
}
}
But then I went ahead and created my own context using code first, so I now have the following too:
public class DXContext : DbContext
{
public DXContext() : base("DXContext")
{
}
public DbSet<ApplicationUser> Users { get; set; }
public DbSet<IdentityRole> Roles { get; set; }
public DbSet<Artist> Artists { get; set; }
public DbSet<Paintings> Paintings { get; set; }
}
Finally I have the following seed method to add some data for me to work with whilst developing:
protected override void Seed(DXContext context)
{
try
{
if (!context.Roles.Any(r => r.Name == "Admin"))
{
var store = new RoleStore<IdentityRole>(context);
var manager = new RoleManager<IdentityRole>(store);
var role = new IdentityRole { Name = "Admin" };
manager.Create(role);
}
context.SaveChanges();
if (!context.Users.Any(u => u.UserName == "James"))
{
var store = new UserStore<ApplicationUser>(context);
var manager = new UserManager<ApplicationUser>(store);
var user = new ApplicationUser { UserName = "James" };
manager.Create(user, "ChangeAsap1#");
manager.AddToRole(user.Id, "Admin");
}
context.SaveChanges();
string userId = "";
userId = context.Users.FirstOrDefault().Id;
var artists = new List<Artist>
{
new Artist { FName = "Salvador", LName = "Dali", ImgURL = "http://i62.tinypic.com/ss8txxn.jpg", UrlFriendly = "salvador-dali", Verified = true, ApplicationUserId = userId },
};
artists.ForEach(a => context.Artists.Add(a));
context.SaveChanges();
var paintings = new List<Painting>
{
new Painting { Title = "The Persistence of Memory", ImgUrl = "http://i62.tinypic.com/xx8tssn.jpg", ArtistId = 1, Verified = true, ApplicationUserId = userId }
};
paintings.ForEach(p => context.Paintings.Add(p));
context.SaveChanges();
}
catch (DbEntityValidationException ex)
{
foreach (var validationErrors in ex.EntityValidationErrors)
{
foreach (var validationError in validationErrors.ValidationErrors)
{
Trace.TraceInformation("Property: {0} Error: {1}", validationError.PropertyName, validationError.ErrorMessage);
}
}
}
}
My solution builds fine, but when I try and access a controller that requires access to the database I get the following error:
DX.DOMAIN.Context.IdentityUserLogin: : EntityType 'IdentityUserLogin' has no key defined. Define the key for this EntityType.
DX.DOMAIN.Context.IdentityUserRole: : EntityType 'IdentityUserRole' has no key defined. Define the key for this EntityType.
What am I doing wrong? Is it because I have two contexts?
UPDATE
After reading Augusto's reply, I went with Option 3. Here is what my DXContext class looks like now:
public class DXContext : DbContext
{
public DXContext() : base("DXContext")
{
// remove default initializer
Database.SetInitializer<DXContext>(null);
Configuration.LazyLoadingEnabled = false;
Configuration.ProxyCreationEnabled = false;
}
public DbSet<User> Users { get; set; }
public DbSet<Role> Roles { get; set; }
public DbSet<Artist> Artists { get; set; }
public DbSet<Painting> Paintings { get; set; }
public static DXContext Create()
{
return new DXContext();
}
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.Entity<User>().ToTable("Users");
modelBuilder.Entity<Role>().ToTable("Roles");
}
public DbQuery<T> Query<T>() where T : class
{
return Set<T>().AsNoTracking();
}
}
I also added a User.cs and a Role.cs class, they look like this:
public class User
{
public int Id { get; set; }
public string FName { get; set; }
public string LName { get; set; }
}
public class Role
{
public int Id { set; get; }
public string Name { set; get; }
}
I wasn't sure if I would need a password property on the user, since the default ApplicationUser has that and a bunch of other fields!
Anyways, the above change builds fine, but again I get this error when the application is ran:
Invalid Column name UserId
UserId is an integer property on my Artist.cs
In my case I had inherited from the IdentityDbContext correctly (with my own custom types and key defined) but had inadvertantly removed the call to the base class's OnModelCreating:
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder); // I had removed this
/// Rest of on model creating here.
}
Which then fixed up my missing indexes from the identity classes and I could then generate migrations and enable migrations appropriately.
The problem is that your ApplicationUser inherits from IdentityUser, which is defined like this:
IdentityUser : IdentityUser<string, IdentityUserLogin, IdentityUserRole, IdentityUserClaim>, IUser
....
public virtual ICollection<TRole> Roles { get; private set; }
public virtual ICollection<TClaim> Claims { get; private set; }
public virtual ICollection<TLogin> Logins { get; private set; }
and their primary keys are mapped in the method OnModelCreating of the class IdentityDbContext:
modelBuilder.Entity<TUserRole>()
.HasKey(r => new {r.UserId, r.RoleId})
.ToTable("AspNetUserRoles");
modelBuilder.Entity<TUserLogin>()
.HasKey(l => new {l.LoginProvider, l.ProviderKey, l.UserId})
.ToTable("AspNetUserLogins");
and as your DXContext doesn't derive from it, those keys don't get defined.
If you dig into the sources of Microsoft.AspNet.Identity.EntityFramework, you will understand everything.
I came across this situation some time ago, and I found three possible solutions (maybe there are more):
Use separate DbContexts against two different databases or the same database but different tables.
Merge your DXContext with ApplicationDbContext and use one database.
Use separate DbContexts against the same table and manage their migrations accordingly.
Option 1:
See update the bottom.
Option 2:
You will end up with a DbContext like this one:
public class DXContext : IdentityDbContext<User, Role,
int, UserLogin, UserRole, UserClaim>//: DbContext
{
public DXContext()
: base("name=DXContext")
{
Database.SetInitializer<DXContext>(null);// Remove default initializer
Configuration.ProxyCreationEnabled = false;
Configuration.LazyLoadingEnabled = false;
}
public static DXContext Create()
{
return new DXContext();
}
//Identity and Authorization
public DbSet<UserLogin> UserLogins { get; set; }
public DbSet<UserClaim> UserClaims { get; set; }
public DbSet<UserRole> UserRoles { get; set; }
// ... your custom DbSets
public DbSet<RoleOperation> RoleOperations { get; set; }
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.Conventions.Remove<PluralizingTableNameConvention>();
modelBuilder.Conventions.Remove<OneToManyCascadeDeleteConvention>();
// Configure Asp Net Identity Tables
modelBuilder.Entity<User>().ToTable("User");
modelBuilder.Entity<User>().Property(u => u.PasswordHash).HasMaxLength(500);
modelBuilder.Entity<User>().Property(u => u.Stamp).HasMaxLength(500);
modelBuilder.Entity<User>().Property(u => u.PhoneNumber).HasMaxLength(50);
modelBuilder.Entity<Role>().ToTable("Role");
modelBuilder.Entity<UserRole>().ToTable("UserRole");
modelBuilder.Entity<UserLogin>().ToTable("UserLogin");
modelBuilder.Entity<UserClaim>().ToTable("UserClaim");
modelBuilder.Entity<UserClaim>().Property(u => u.ClaimType).HasMaxLength(150);
modelBuilder.Entity<UserClaim>().Property(u => u.ClaimValue).HasMaxLength(500);
}
}
Option 3:
You will have one DbContext equal to the option 2. Let's name it IdentityContext. And you will have another DbContext called DXContext:
public class DXContext : DbContext
{
public DXContext()
: base("name=DXContext") // connection string in the application configuration file.
{
Database.SetInitializer<DXContext>(null); // Remove default initializer
Configuration.LazyLoadingEnabled = false;
Configuration.ProxyCreationEnabled = false;
}
// Domain Model
public DbSet<User> Users { get; set; }
// ... other custom DbSets
public static DXContext Create()
{
return new DXContext();
}
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.Conventions.Remove<PluralizingTableNameConvention>();
// IMPORTANT: we are mapping the entity User to the same table as the entity ApplicationUser
modelBuilder.Entity<User>().ToTable("User");
}
public DbQuery<T> Query<T>() where T : class
{
return Set<T>().AsNoTracking();
}
}
where User is:
public class User
{
public int Id { get; set; }
[Required, StringLength(100)]
public string Name { get; set; }
[Required, StringLength(128)]
public string SomeOtherColumn { get; set; }
}
With this solution, I'm mapping the entity User to the same table as the entity ApplicationUser.
Then, using Code First Migrations you'll need to generate the migrations for the IdentityContext and THEN for the DXContext, following this great post from Shailendra Chauhan: Code First Migrations with Multiple Data Contexts
You'll have to modify the migration generated for DXContext. Something like this depending on which properties are shared between ApplicationUser and User:
//CreateTable(
// "dbo.User",
// c => new
// {
// Id = c.Int(nullable: false, identity: true),
// Name = c.String(nullable: false, maxLength: 100),
// SomeOtherColumn = c.String(nullable: false, maxLength: 128),
// })
// .PrimaryKey(t => t.Id);
AddColumn("dbo.User", "SomeOtherColumn", c => c.String(nullable: false, maxLength: 128));
and then running the migrations in order (first the Identity migrations) from the global.asax or any other place of your application using this custom class:
public static class DXDatabaseMigrator
{
public static string ExecuteMigrations()
{
return string.Format("Identity migrations: {0}. DX migrations: {1}.", ExecuteIdentityMigrations(),
ExecuteDXMigrations());
}
private static string ExecuteIdentityMigrations()
{
IdentityMigrationConfiguration configuration = new IdentityMigrationConfiguration();
return RunMigrations(configuration);
}
private static string ExecuteDXMigrations()
{
DXMigrationConfiguration configuration = new DXMigrationConfiguration();
return RunMigrations(configuration);
}
private static string RunMigrations(DbMigrationsConfiguration configuration)
{
List<string> pendingMigrations;
try
{
DbMigrator migrator = new DbMigrator(configuration);
pendingMigrations = migrator.GetPendingMigrations().ToList(); // Just to be able to log which migrations were executed
if (pendingMigrations.Any())
migrator.Update();
}
catch (Exception e)
{
ExceptionManager.LogException(e);
return e.Message;
}
return !pendingMigrations.Any() ? "None" : string.Join(", ", pendingMigrations);
}
}
This way, my n-tier cross-cutting entities don't end up inheriting from AspNetIdentity classes, and therefore I don't have to import this framework in every project where I use them.
Sorry for the extensive post. I hope it could offer some guidance on this. I have already used options 2 and 3 in production environments.
UPDATE: Expand Option 1
For the last two projects I have used the 1st option: having an AspNetUser class that derives from IdentityUser, and a separate custom class called AppUser. In my case, the DbContexts are IdentityContext and DomainContext respectively. And I defined the Id of the AppUser like this:
public class AppUser : TrackableEntity
{
[Key, DatabaseGenerated(DatabaseGeneratedOption.None)]
// This Id is equal to the Id in the AspNetUser table and it's manually set.
public override int Id { get; set; }
(TrackableEntity is the custom abstract base class that I use in the overridden SaveChanges method of my DomainContext context)
I first create the AspNetUser and then the AppUser. The drawback with this approach is that you have ensured that your "CreateUser" functionality is transactional (remember that there will be two DbContexts calling SaveChanges separately). Using TransactionScope didn't work for me for some reason, so I ended up doing something ugly but that works for me:
IdentityResult identityResult = UserManager.Create(aspNetUser, model.Password);
if (!identityResult.Succeeded)
throw new TechnicalException("User creation didn't succeed", new LogObjectException(result));
AppUser appUser;
try
{
appUser = RegisterInAppUserTable(model, aspNetUser);
}
catch (Exception)
{
// Roll back
UserManager.Delete(aspNetUser);
throw;
}
(Please, if somebody comes with a better way of doing this part I appreciate commenting or proposing an edit to this answer)
The benefits are that you don't have to modify the migrations and you can use any crazy inheritance hierarchy over the AppUser without messing with the AspNetUser. And actually, I use Automatic Migrations for my IdentityContext (the context that derives from IdentityDbContext):
public sealed class IdentityMigrationConfiguration : DbMigrationsConfiguration<IdentityContext>
{
public IdentityMigrationConfiguration()
{
AutomaticMigrationsEnabled = true;
AutomaticMigrationDataLossAllowed = false;
}
protected override void Seed(IdentityContext context)
{
}
}
This approach also has the benefit of avoiding to have your n-tier cross-cutting entities inheriting from AspNetIdentity classes.
By Changing The DbContext As Below;
protected override void OnModelCreating(DbModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
modelBuilder.Conventions.Remove<OneToManyCascadeDeleteConvention>();
modelBuilder.Conventions.Remove<ManyToManyCascadeDeleteConvention>();
}
Just adding in OnModelCreating method call to base.OnModelCreating(modelBuilder); and it becomes fine. I am using EF6.
Special Thanks To #The Senator
For those who use ASP.NET Identity 2.1 and have changed the primary key from the default string to either int or Guid, if you're still getting
EntityType 'xxxxUserLogin' has no key defined. Define the key for this EntityType.
EntityType 'xxxxUserRole' has no key defined. Define the key for this EntityType.
you probably just forgot to specify the new key type on IdentityDbContext:
public class AppIdentityDbContext : IdentityDbContext<
AppUser, AppRole, int, AppUserLogin, AppUserRole, AppUserClaim>
{
public AppIdentityDbContext()
: base("MY_CONNECTION_STRING")
{
}
......
}
If you just have
public class AppIdentityDbContext : IdentityDbContext
{
......
}
or even
public class AppIdentityDbContext : IdentityDbContext<AppUser>
{
......
}
you will get that 'no key defined' error when you are trying to add migrations or update the database.
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
//foreach (var relationship in modelBuilder.Model.GetEntityTypes().SelectMany(e => e.GetForeignKeys()))
// relationship.DeleteBehavior = DeleteBehavior.Restrict;
modelBuilder.Entity<User>().ToTable("Users");
modelBuilder.Entity<IdentityRole<string>>().ToTable("Roles");
modelBuilder.Entity<IdentityUserToken<string>>().ToTable("UserTokens");
modelBuilder.Entity<IdentityUserClaim<string>>().ToTable("UserClaims");
modelBuilder.Entity<IdentityUserLogin<string>>().ToTable("UserLogins");
modelBuilder.Entity<IdentityRoleClaim<string>>().ToTable("RoleClaims");
modelBuilder.Entity<IdentityUserRole<string>>().ToTable("UserRoles");
}
}
My issue was similar - I had a new table i was creating that ahd to tie in to the identity users. After reading the above answers, realized it had to do with IsdentityUser and the inherited properites. I already had Identity set up as its own Context, so to avoid inherently tying the two together, rather than using the related user table as a true EF property, I set up a non-mapped property with the query to get the related entities. (DataManager is set up to retrieve the current context in which OtherEntity exists.)
[Table("UserOtherEntity")]
public partial class UserOtherEntity
{
public Guid UserOtherEntityId { get; set; }
[Required]
[StringLength(128)]
public string UserId { get; set; }
[Required]
public Guid OtherEntityId { get; set; }
public virtual OtherEntity OtherEntity { get; set; }
}
public partial class UserOtherEntity : DataManager
{
public static IEnumerable<OtherEntity> GetOtherEntitiesByUserId(string userId)
{
return Connect2Context.UserOtherEntities.Where(ue => ue.UserId == userId).Select(ue => ue.OtherEntity);
}
}
public partial class ApplicationUser : IdentityUser
{
public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
// Add custom user claims here
return userIdentity;
}
[NotMapped]
public IEnumerable<OtherEntity> OtherEntities
{
get
{
return UserOtherEntities.GetOtherEntitiesByUserId(this.Id);
}
}
}

Resources