miltador / aspnetcore.identity.dynamodb Goto Github PK

https://github.com/aspnet/Identity/blob/dev/src/Microsoft.AspNetCore.Identity/RoleManager.cs#L168

we don't allow the normalized role name to change for good reason,
but the role manager depends on this function succeeding.

also if the user has chosen a different ILookupNormalizer than the normal UpperInvariantNormalizer, the default initialisation of NormalizedRoleName in DynamoIdentityRole will not match the expected normalized role name.

Hello,

This is a great project. However, it seems that IdentityOptions have move on and no longer have the Cookies extension.

Any thoughts on how to solve this?

var id = new ClaimsIdentity(Options.Cookies.ApplicationCookieAuthenticationScheme,
                    Options.ClaimsIdentity.UserNameClaimType,
                    Options.ClaimsIdentity.RoleClaimType);

Regards,

Daniel

In the sample project's account manager I'm trying this so I can lookup email instead of name:

var user = await _userManager.FindByEmailAsync(model.Email);
await _signInManager.PasswordSignInAsync(user, ...)

which does a _context.LoadAsync(normalizedEmail)

I can't get that to work with the GSI -- it just returns null. Is it hitting the users table instead of the index?

so I tried changing it to use the Document model Query method:

Table table = Table.LoadTable(_client, Constants.DefaultTableName);
QueryOperationConfig config = new QueryOperationConfig() 
{
    IndexName = "Email.NormalizedValue-DeletedOn-index",
    KeyExpression = new Expression()
    {
        ExpressionStatement = "Email.NormalizedValue = :e",
        ExpressionAttributeValues = new Dictionary<string, DynamoDBEntry> {
            {":e", new Primitive(normalizedEmail)}
        }
    }
};
Search search = table.Query(config);
var results = await search.GetNextSetAsync(cancellationToken);
var userDocument = results.FirstOrDefault();
user = _context.FromDocument<TUser>(userDocument);

That rejects the KeyExpression because it is on a nested attribute of the Email Map attribute.

Any tips?

(testing this with the dynamodb docker container fwiw)

DynamoDB tables for users and roles are created using the names in appsettings.json. However, the dll is using set values (constants) for the table names: [DynamoDBTable("users")], [DynamoDBTable("roles")].

I have tried to update the asp .net core and identity to 3.1.0 and 2.2.0 respectively. But I am getting errors in the startup file.

UserStore, RoleStore, and RoleUserStore initialization can fail if there are more than 100 dynamoDb tables in an AWS account. The ListTablesAsync() method that is ran in the EnsureInitializedAsync() methods returns paged results (100 per page), but this library only takes the first page. Since that method is used to determine if a table already exists, it will sometimes think the table does not exist when it actually does. The table is then attempted to be created but results in an error as it's already there.

This can be fixed by simply running through all the pages of the ListTablesAsync() result before checking to see if the table exists or not.

Are there any plans to update this for Identity 2 ? I cant get it to compile in a .net 2 app using Identity 2. Mostly errors like : The type or namespace name 'Claim' could not be found.

both users and roles have the same pattern for storing claims,
and they both require that the claim types and the claim values are a set of unique items
(dynamodb does not allow inserting duplicates into a string set).

I think this is too restrictive and it denies legitimate uses of claims:
e.g. http://benfoster.io/blog/asp-net-identity-role-claims

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims
f.t.a:
"An identity can contain multiple claims with multiple values and can contain multiple claims of the same type."