How do I remove an existing claim from a ClaimsPrinciple?

Greg Mason picture Greg Mason · Mar 21, 2014 · Viewed 27.1k times · Source

I am making a developer tool for impersonating Roles for an intranet site to allow developers to quickly act as any Role as needed. Roles defined are Developer, Team Lead, Team Member, Engineering, Marketing, Guest and a tool on the web page makes a call to a Web Api to add or remove the Claim... well I can add but can't seem to find out where the .RemoveClaim(claim) or .TryRemoveClaim(claim) can be accessed to get this working. Do I have to create a custom claims manager to get this functionality or am I missing something?

I have been looking at System.Security.Claims and almost everything else seems to work very straightforward and there is no reference as to needing extensive work to do what I need.

I am using VS 2013/Web Api2 with .NET 4.5.1.

The website side just uses a simple ajax call to PUT and DELETE functionality till I get this to work the way I want. From the Controller, my cs code is as:

    public void Put(int id, [FromBody]string role)
    {
        if (FindClaim(role) != null) return;

        var user = HttpContext.Current.User as ClaimsPrincipal;
        if (user == null) return;

        var claimId = new ClaimsIdentity();
        claimId.AddClaim(new Claim(ClaimTypes.Role, role));
        user.AddIdentity(claimId);
    }

    // DELETE api/devroleadjuster/5
    public void Delete(int id, [FromBody]string role)
    {
        var claim = FindClaim(role);
        if (claim == null) return;

        var user = HttpContext.Current.User as ClaimsPrincipal;
        if (user == null)  return;

        // Why can't I do this????
        user.RemoveClaim(claim);
    }

    private Claim FindClaim(string role)
    {
        try
        {
            var user = HttpContext.Current.User as ClaimsPrincipal;
            var claim = (from c in user.Claims
                         where c.Value == role
                         select c).Single();
            return claim;
        }
        catch (InvalidOperationException)
        {
            return null;
        }
    }

The Put works just fine, the problem is with the Delete portion of my code... I want to use the user.RemoveClaim(claim); code or something like it... I can't see why I can't according to MSDN, and I can't find any example code for removing a claim.

Answer

Badri picture Badri · Mar 22, 2014

You should use identity to add or remove a claim. Try this to add a claim.

var user = User as ClaimsPrincipal;
var identity = user.Identity as ClaimsIdentity;
identity.AddClaim(new Claim(ClaimTypes.Role, "somenewrole"));

To remove a claim,

var user = User as ClaimsPrincipal;
var identity = user.Identity as ClaimsIdentity;
var claim = (from c in user.Claims
                         where c.Value == "somenewrole"
                         select c).Single();
identity.RemoveClaim(claim);

BTW, it is better to use User from your controller instead of HttpContext.Current.User.