Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking change]: Access claims will be removed from ClaimsIdentity in V15 #18

Open
1 of 2 tasks
kjac opened this issue Jun 25, 2024 · 0 comments
Open
1 of 2 tasks

[Breaking change]: Access claims will be removed from ClaimsIdentity in V15 #18

kjac opened this issue Jun 25, 2024 · 0 comments
Labels
category/breaking cms/release/15.0.0

Comments

@kjac
Copy link

kjac commented Jun 25, 2024

Description

The following claims will be removed from ClaimsIdentity in V15:

  • http://umbraco.org/2015/02/identity/claims/backoffice/startcontentnode
  • http://umbraco.org/2015/02/identity/claims/backoffice/startmedianode
  • http://umbraco.org/2015/02/identity/claims/backoffice/allowedapp

These claims correspond to these (now obsolete) security constants:

  • Umbraco.Cms.Core.Constants.Security.StartContentNodeIdClaimType
  • Umbraco.Cms.Core.Constants.Security.StartMediaNodeIdClaimType
  • Umbraco.Cms.Core.Constants.Security.AllowedApplicationsClaimType

Version

Umbraco 15

Previous behavior

The mentioned claims would be readily available for interpretation on ClaimsIdentity.

New behavior

The mentioned claims are no longer available on ClaimsIdentity.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

First and foremost, this change allows for smoother access changes for users of the Management API. At this time we're forced to revoke tokens when access changes, which is not an ideal behaviour for currently logged-in users.

Secondly, this change paves the way for facilitating external authorization for specific operations that are currently tied to the ClaimsIdentity claims.

Recommended action

To access the allowed sections of a user, go directly to IUser:

private readonly IUserService _userService;

private async Task<IEnumerable<string>?> GetAllowedSections(Guid userKey)
{
  IUser? user = await _userService.GetAsync(userKey);
  return user?.AllowedSections;
}

To access the calculated user start nodes, use the UserExtensions:

private readonly IEntityService _entityService;
private readonly AppCaches _appCaches;

private IEnumerable<int>? UserContentStartNodeIds(IUser user)
  => user.CalculateContentStartNodeIds(_entityService, _appCaches);

private IEnumerable<int>? UserMediaStartNodeIds(IUser user)
  => user.CalculateContentStartNodeIds(_entityService, _appCaches);

Affected APIs

  • Umbraco.Extensions.ClaimsIdentityExtensions.GetStartContentNodes(this ClaimsIdentity identity)
  • Umbraco.Extensions.ClaimsIdentityExtensions.GetStartMediaNodes(this ClaimsIdentity identity)
  • Umbraco.Extensions.ClaimsIdentityExtensions.GetAllowedApplications(this ClaimsIdentity identity)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
category/breaking cms/release/15.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bergmania @kjac