Storing a list of string in Claim (System.Security.Claims)

c# asp.net-mvc-5 wif owin claims-based-identity
systempuntoout picture systempuntoout · Jul 20, 2014 · Viewed 12.8k times · Source

I'm developing a web app with Asp.Net 5 MVC, Owin and Oauth2 bearer token as auth type.

I need to store a list of string "CODEFOO,CODBAR,CODEX,.." inside a System.Security.Claims.Claim with a custom claim Type.

When the user requests a token, this list of "user codes" is get from the back-end and set inside the identity using a specific custom claim type.
When the user sends the token back, navigating a specific MVC Action, the application has to check if the list of user codes inside the claim, contains a specific code.

List<string> userCodes = rep.GetUserCodeFromBackEnd();
string userCodesClaimType = "http://foo.it/claim/usercodesclaimtype";

Right now I'm serializing the list of string in JSON.

var claim = new Claim(userCodesCaimType, JsonConvert.SerializeObject(userCodes));

and get it back de-serializing it with something like this:

var userCodesClaim = identity.Claims.FirstOrDefault<Claim>(c=>c.Type == userCodesClaimType) ;
var userCodesClaimValue = JsonConvert.DeserializeObject<List<string>>(userCodesClaim.Value);

Now the question: is there a better way to store a list of values inside a claim?
Claim has a ValueType property which documentation says:

The ValueType property contains a string that identifies the type information of the value. This property can be used to understand the format of the value and to provide information about how to serialize and deserialize the value. If your solution requires complex value types, it is recommended that you use standard XML schema types in the ValueType property to indicate how the Value property is meant to be serialized and deserialized from a string.

Unluckily I have not found any example that documents the use of that property.
Is the Json serialization ok or should I use the ValueType approach?

Answer

Anders Abel picture Anders Abel · Jul 20, 2014

The ValueType is a way for your code to identify how the value is to be interpreted/deserialized, such as containing an XML schema type. If used between code from different sources, it makes sense, but in your own application you can just ignore it as long as you know how to interpret the contents.

But to have multiple values, you won't need to use complex types. A claims identity can have multiple claims with the same ClaimType, so instead of serializing the codes into a JSon string you should just add multiple claims; one for each user code. All having the same claim type. That will make it possible to use the HasClaim method for checking if a specific user code is present.

Related questions

Complex Claim Values in .NET Framework with System.Security.Claims

I'm developing a web app with Asp.Net 5 MVC, Owin and Oauth2 bearer token as auth type. Following this guide that adds a custom complex claim Json serialized to an instance of Microsoft.IdentityModel.Claims.ClaimsIdentity with success, I've tried …

Read More
ASP.NET MVC 5 - Identity. How to get current ApplicationUser

I have an Article entity in my project which has the ApplicationUser property named Author. How can I get the full object of currently logged ApplicationUser? While creating a new article, I have to set the Author property in Article …

Read More
How to get current user, and how to use User class in MVC5?

How can I get the id of the currently logged in user in MVC 5? I tried the StackOverflow suggestions, but they seem to be not for MVC 5. Also, what is the MVC 5 best practice of assigning stuff to the users? (…

Read More