User Authorization in ASP.NET Core with Okta

User Authorization in ASP.NET Core with Okta

Learn how to map your Okta Groups to Roles claims and let the regular ASP.NET AuthorizeAttribute handle authorization.

NewIntellectual

Thanks for the article. Note that Microsoft made some changes between .Net Core 1 and 2. Here’s some updated code for .Net Core 2 (note use of references to entries in appsettings.json for OrgUrl and Token):

public class GroupsToRolesTransformer : IClaimsTransformation {
private OktaClient client;

public GroupsToRolesTransformer() {
client = new OktaClient(new OktaClientConfiguration {
OrgUrl = Startup.Configuration[“okta:orgUrl”],
Token = Startup.Configuration[“okta:apiToken”]
});
}

public async Task<claimsprincipal> TransformAsync(ClaimsPrincipal iprincipal) {
var idClaim = iprincipal.FindFirst(x => x.Type == ClaimTypes.NameIdentifier);
if (idClaim != null) {
var user = await client.Users.GetUserAsync(idClaim.Value);
if (user != null) {
var groups = user.Groups.ToEnumerable();
foreach (var group in groups) {
((ClaimsIdentity)iprincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, group.Profile.Name));
}
}
}
return iprincipal;
}
}

==================

Also, remove:

app.UseClaimsTransformation(new ClaimsTransformationOptions{
Transformer = new GroupsToRolesTransformer()
});

and put this in the ConfigureServices method in Startup.cs instead:

services.AddTransient< IClaimsTransformation, GroupsToRolesTransformer >();

==================

NewIntellectual

I posted a complete code update to this example for .Net Core 2, and it’s now gone. Was it deleted?

Nate Barbettini

Hey! I saw your comment initially but now it’s gone. I’m not sure why. Sorry about that

Mind posting as a Github gist instead? Disqus may have barfed at the comment size or something.

Chris Becke

This is complicated. Rather than calling the Okta API you can do this via the JWT. Just add a claim called “roles” to your authorization server and give it a rule to populate it with the group(s) of interest. Add that claim to a new or existing scope and ensure the app asks for that scope when performing its OpenID authorization flow. The Okta Dotnet core library automatically maps the roles from the JWT roles claim to the Controller.User object that represents the current security principal so you can go wild with [Authorize(Roles="")] without writing any custom adapters or transformers, or even worrying about the performance implications of calling the Okta api per call to your own endpoints.

Sadjad Bahmanpour

Is there a such notion as common end point in okta? I need to setup asp.net core auth stack to be used by a multi-tenant application, so we don’t know the organization url at startup time, we know when they login. I’m looking for some like what AAD has https://login.microsoftonli… where I don’t need to provide organization/tenant name and let auth provider to take care of it for me.

Richard Corkery

This helped me a lot. Thanks for the post.

Bhavya Khanna

Need your help in .net code (MVC web application) for implement openidconnect withokta.
I am new in this and unable to know how to start .
I have knowledge about OAuth2.0 and OPenID Connect protocol but code side not understand from how to start.
Please help me.

Rajiv P

Anyone can guide me on how to do it in asp.net webforms application? I was able to complete the login however I don’t know how to add roles to logged in user?

Rajiv P

Hello Chris, can you please tell me how to add roles via the JWT as you suggest above. I have already tried this but doesn’t seems to work
var claims = new List<claim>(userInfoResponse.Claims)
{
new Claim(“id_token”, tokenResponse.IdentityToken),
new Claim(“access_token”, tokenResponse.AccessToken),
new Claim(ClaimTypes.Role, “standard”) // yes hardcoded it but it actually will come from groups.
};

n.AuthenticationTicket.Identity.AddClaims(claims);
My Webconfig in one folder (for roles) has this
<system.web>
<authorization>
<allow roles=“standard,admin”/>
<deny users="*"/>
</authorization>
</system.web>

Things are tougher as this is done in asp.net webforms application. its a 12 yr old application and most support is available for asp.net core Any help is highly appreciated.

Hariharan Nagalingam

Do we have a similar sample in ASPNET CORE 3.0 WebAPI

shravan Kumar

even am looking for Asp.Net Core Web API, please tell me did you find any or did you implement?

I am looking for User Authorization (ASP.NET Identity Role based) in ASP.NET 4.8 framework with Okta. Can anybody suggest the article or steps for that please?