ClaimsPrincipal with custom UserManager doesn't work in razor pages - asp.net-core-5.0

I've an asp.net project that contains controller and razor pages together.
Asp.net Identity creates own area with razor pages as default with scaffolding.
Problem starts after login, in controller, I can use User keyword to see current user's claims like, Id, username, email.. without problem. When I call the User keyword in Identity pages, it comes with 0 claims inside and await userManager.GetUserAsync(User) returns null
I'm using built-in Sign-in Manager.
Am I missing something?
Update:
Profile pages working with ClaimsPrincipal, when I click to Setup Authenticator App link, it is coming with 0 claims as in image below.
It was working before, once I added Authenticator app into my account and removed it then started this problem.

It happens when 2 factor authentication enabled and when you login with 2fa and check remember this browser and remove 2fa from your account.
Clearing 2FA cookies fixes the problem
https://github.com/dotnet/aspnetcore/issues/5817#issuecomment-491818987

Related

How can I update a user's claims after they have logged in using ASP.NET Identity

I am working on a Blazor web application with ASP.NET Identity added to it.
The account register/login functionality has all been added as MVC out of the box.
After the user has logged in, they interact with the Blazor app.
After they have logged in, they can perform an action which adds a Claim to their user. The Claim is added and I can see it in the ASPNetUserClaims table.
The next time the user logs in, the Claim is available in the Blazor code and the server side code.
However, immediately after adding the Claim (before their next login and for the rest of their session) the Claim is not available by default, e.g. using authState.User.Claims in Blazor, or User.Claims in an ApiController.
I believe this is because the claims are written into the user's JWT token when they login, and saved in their browser.
Is there a way to update the JWT token in the user's browser if they make a request that changes their Claims? Ideally using ASP.NET Identity?

OutSystems PWA Azure AD Login

we have an OutSystems Mobile App (PWA)
We would like to add Azure AD SSO
We have tried Idp Mobile, but it is not for PWA
We have tried to embed in an iframe the login to login.microsoftonline.com, but it is not framable (CSP)
So we tried to follow this doc: https://learn.microsoft.com/it-it/graph/auth-v2-user
but again the html returned by the authorize api is not framable :(
is there a solution?
thanks
AAD does not permit framing of pages where credentials are entered as it requires user interaction. When you try Azure Active Directory (AAD) login page inside an iframe, you may go through errors due to defensive measures taken by AAD to prevent malicious attacks.
Some workarounds you may possibly try which may work in few cases.
Make sure reply urls set are same everywhere in app and in portal.
AAD has headers set to prevent their login page from being displayed in a frame.
prompt parameter indicates the type of user interaction that is required.Try setting it to none which means user interaction not required(if it is ok in your case).It is optional parameter added in login url in the iframe (&prompt=none).
Also &domain_hint={userdomain.com} is added at the end or url request where {userdomain.com} is the last part of the user's email address - e.g.user#userdomain.com > OAuth 2.0 authorization code flow | Microsoft Docs
Try to close and test few times to make sure it works and then login with work account in edge or chrome browser.(or from https://portal.office.com)
Reference:
aad-iframe | nafis.dev

How do I redirect a user to the page they initially came from before being prompted to login with Auth0?

I am using the Auth0 plugin on WordPress, and it seems that there is only one field in the settings to set the URL users are redirected to after logging in. However, I want to have them return to the page they were on prior to logging in (i.e., my WordPress site has multiple protected pages from which users are prompted to login with Auth0).
How do I make the redirect URL dynamic, or simply set it to the page they were previously on (the protected page)?
I've tried some redirect plugins but it seems that Auth0 always overrides them.
Any help would be greatly appreciated!
Solution can be found here: https://github.com/kevinvess/wp-force-login/issues/14
I installed the Force Login WordPress plugin (which protects all the pages on the site by default) and I whitelisted the homepage and pages I did not want protected with Auth0. Using the fix provided in the link above, I was able to get the redirect working.

Grails SpringSecurity Rest Basic auth + Login Form

I have the following problem in a Grails app with Spring Security (SSC). My app should provide some browseable pages as well as a Restful API.
While using the App with the Browser the App should display the Login-Form which is used by SSC and the Login/Logout Controller. But I also want to use alternativly a BasiAuthentication with the same URI.
For example: If I do a call to /myApp/testCall, coming from the Browser it should display the Login Form in case of a not already logged in user. If the user is logged in, it should process normally. But if I call /myApp/testCall with a Authorization Header then the App should recognize this and Authenticate the user by Basic Auth.
What I already got so far, whether the Basic Auth or the Login Form standalone, but not with this wanted bahviour. As soon as I activate the basiAuth in my App, it displays all the time the default Login form the Browser (Basic Auth Browser Login) but it should display the LoginForm.
Hope someone can help me solving this problem, I need somehow to put the Filter, which is responsible for displaying the Login Form in front of the Basic Auth Filter, but in the other case if I provide Basic Auth Credentials it should just log me in.
I had a similar question last week, not totally the answer to your question but it might help you get started. Would have added this as a comment but I don't have the rep.

Custom Authorize attribute for Facebook

I'm trying to create a custom Authorize attribute for my MVC 3 application. I know that there is a default FacebookAutorize attribute that checks if the user is logged in. The reason why I want to create a Custom attribute is that the user is able to create an account with Facebook or without (default membership) Facebook.
Now when the user is logged into facebook I want to get the connected membership account and call the FormsAuthentication.SetAuthCookie method to login.
When I run my application in VS2010 (F5) the user is not logged in so you get the login page. When I click the login button and redirect to the homecontroller index action I see in the custom attribute that the FacebookWebContext.Current.IsAuthenticated() methoded is true.
After I close the browser and hit F5 again in VS the website is navigated to the homecontroller index again. In that moment the custom authorize is called again and I see that the FacebookWebContext.Current.IsAuthenticated() returnes false.
Why is it false? I was already authenticated right?
Thanks
download the latest source code and checkout "CS-AspNetMvc3-WithoutJsSdk.sln" sample which demonstrates the use of FormsAuthentication and Facebook OAuth.