In this article, we are going to see different ways to get the currently authenticated user using claims in ASP.NET Core. The code for this article is based on the respective code from the article on Authentication with ASP.NET Core Web API.
Let’s start.
Getting the Current User With Claims in Controllers
Claims-based identity is a way to keep information about a user. A claim is a key-value pair that is assigned to a user by a trusted source. A claim defines what the user is, in contrast to what the user can do. An identity can contain multiple claims; examples are the user’s id, name, and email, to name but a few.
Inside a controller, we can directly access the User property, which is of type ClaimsPrincipal.
Let’s use this object in order to get the claims it contains:
[HttpGet, Authorize]
public IEnumerable<string> Get()
{
Console.WriteLine("User Id: " + User.FindFirstValue(ClaimTypes.NameIdentifier));
Console.WriteLine("Username: " + User.FindFirstValue(ClaimTypes.Name));
Console.WriteLine("Role: " + User.FindFirstValue(ClaimTypes.Role));
Console.WriteLine("First name: " + User.FindFirstValue("firstname"));
Console.WriteLine("Last name: " + User.FindFirstValue("lastname"));
return _service.GetCustomers();
}
Note that we can also get the custom claims that we have defined, i.e. claims that provide the first and last name of the user.
However, there is a catch. Let’s try to get the current user inside the Controller’s constructor:
public class CustomersController : ControllerBase
{
private readonly ICustomerService _service;
public CustomersController(ICustomerService service)
{
_service = service;
Console.WriteLine("User Id: " + User.FindFirstValue(ClaimTypes.NameIdentifier));
Console.WriteLine("Username: " + User.FindFirstValue(ClaimTypes.Name));
}
...
}
As a result, we realize that the User property inside the constructor is null. Fortunately, there is a way to get the User property here, by injecting an object that implements the IHttpContextAccessor interface:
public class CustomersController : ControllerBase
{
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly ICustomerService _service;
public CustomersController(IHttpContextAccessor httpContextAccessor,
ICustomerService service)
{
_httpContextAccessor = httpContextAccessor;
_service = service;
Console.WriteLine("User Id: " +
_httpContextAccessor.HttpContext?.User.FindFirstValue(ClaimTypes.NameIdentifier));
Console.WriteLine("Username: " +
_httpContextAccessor.HttpContext?.User.FindFirstValue(ClaimTypes.Name));
}
...
}
Through the IHttpContextAccessor interface, we can get the HttpContext object and from there we are able to access the User object and its claims.
Finally, let’s instruct the Program class to make IHttpContextAccessor available to our classes:
builder.Services.AddHttpContextAccessor();
Getting the Current User With Claims in Other Classes
Let’s consider the case of the CustomersService class, where we need to get information about the current user. Since we are not inside a controller, we do not have direct access to the User property:
public class CustomerService: ICustomerService
{
private readonly IHttpContextAccessor _httpContextAccessor;
public CustomerService(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
public IEnumerable<string> GetCustomers()
{
Console.WriteLine("User Id: " +
_httpContextAccessor.HttpContext?.User.FindFirstValue(ClaimTypes.NameIdentifier));
Console.WriteLine("Username: " +
_httpContextAccessor.HttpContext?.User.FindFirstValue(ClaimTypes.Name));
return new string[] { "John Doe", "Jane Doe" };
}
}
Luckily, we solve the issue inject by injecting an IHttpContextAccessor object into the service and get the claims of the current user.
Conclusion
In this article, we have seen how we may get the current user, in various parts of our web application (controllers and other classes).
