Update Claims after Authentication



This is not necessarily and EpiServer issue but am trying to find a solution to this and was thinking if any of us might have ran in this issue.

My site uses multiple authentication schemes (CookieAuthentication for Web and JwtBearerAuthentication for Content Delivery API). For some reason I have to add custom claims after the token validation is complete and couldn't find a way to do it. This is classic MVC site with framework 4.7.2. I saw something like this can be done in asp.net core but if anyone has ran into such scenarios would like to hear any inputs.

Below is the sample code for token validation.

            new JwtBearerAuthenticationOptions
                TokenHandler = new ValidateJwtSecurityTokenHandlerforLogs(_loggingService, _environment),
                AuthenticationMode = AuthenticationMode.Active,
                TokenValidationParameters = new TokenValidationParameters()
                    NameClaimType = JwtClaimTypes.Name, 
                    RoleClaimType = OpenIDConfiguration.Permission, 
                    ValidateAudience = false, 
                    ValidIssuer = authority,
                    IssuerSigningKeyResolver = (token, securityToken, identifier, parameters) =>
                        var discoveryDocument = Task.Run(() => configurationManager.GetConfigurationAsync()).GetAwaiter().GetResult();
                        return discoveryDocument.SigningKeys;
Aug 20, 2020 15:22

Hi Dileep

How do clients obtain that JWT token?

If it's from an OAuth or OpenID provider, then you can try using another middleware. One that provides an event hook where you can add your custom claims.

Aug 20, 2020 18:16


We have our OKTA as our authentication provider. Clients that use our API generate token by calling OKTA (Authority/provider). I receive the token and validate it against the same authority using /.well-known/openid-configuration end point.

However there is a need to create some custom claims after the authentication is complete or upon receiving the token since these custom claims cannot be created at OKTA (for some technical reasons at our end) so the intention is after token is received/validated, I can add new claims and update the identity some how.

Tried browising online but nothing that meets my needs so ended up here even though it is not really an Epi Question.

Aug 20, 2020 19:48

I have done similar integration several times, although with Azure AD instead Okta.

You can try using Microsoft.AspNet.Authentication.OAuthBearer instead of the more basic JWT middleware.

Then you can add a delegate method to its options parameter. It would be the Notifications.SecurityTokenValidated property. This delegate is only called if the token is valid, and so you can add custom claims to the ClaimsIdentity instance.

Aug 21, 2020 7:00

Thanks for the inputs. I will do some research on it. Do you have an example that you can share?

Besides my token is created by an external authorizatin server (OKTA) which is our IdentityServer. Not sure if I still can use OAuthBearer as JWTBearerAuthentication seems to be standard as per OpenIdConnect.

Edited, Aug 24, 2020 2:53

If Okta gives you an OAuth token, then you can use the middleware I described. I have done the same with Azure AD, native apps and WebAPI.

Then you are able to manipulate the claims in the SecurityTokenValidated event (something similar to the sample on this documentation page).

Aug 24, 2020 5:19
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.