From d00fb23e9ab9b3fcede6b65bed495e307c6547a3 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Wed, 9 Sep 2020 18:11:10 +1000
Subject: [PATCH] automatically flow any added claims in OnExternalLogin to the
 ticket (with notes)

---
 .../BackOfficeClaimsIdentityFactory.cs         | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs b/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
index fbc24d2cd9..df31621462 100644
--- a/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
+++ b/src/Umbraco.Web/Security/BackOfficeClaimsIdentityFactory.cs
@@ -25,8 +25,24 @@ namespace Umbraco.Web.Security
         /// <returns/>
         public override async Task<ClaimsIdentity> CreateAsync(UserManager<T, int> manager, T user, string authenticationType)
         {
+            // TODO: This does not automatically apply claims from the User to the identity/ticket
+            // So how can we flow Claims from the external identity to this one?
+            // And can we do that without modifying the core? Can we replace the BackOfficeClaimsIdentityFactory easily? I don't actually think so...
+            // we would need to replace the whole user manager to do that... can that be done in v7?
+            // It could certainly be possible to just flow the Claims attached to user T to this identity
+            // Another hack would be to modify the user manager to "SupportsUserClaim" and have an in-memory store of user claims for the user id
+            // which would automatically be added with the base.CreateAsync.
+            // Another way would be to persist the extra claims with the OnExternalLogin call into the extra storage for the user
+            // and then implement SupportsUserClaim to extract the data from that extra storage. Not sure how backwards compat that is.
+
             var baseIdentity = await base.CreateAsync(manager, user, authenticationType);
-            
+
+            // now we can flow any custom claims that the actual user has currently assigned which could be done in the OnExternalLogin callback
+            foreach (var claim in user.Claims)
+            {
+                baseIdentity.AddClaim(new Claim(claim.ClaimType, claim.ClaimValue));
+            }
+
             var umbracoIdentity = new UmbracoBackOfficeIdentity(baseIdentity,
                 user.Id,
                 user.UserName,