c# - Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?

Question

Welcome To Ask or Share your Answers For Others

c# - Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?

posted Oct 17, 2021 in Technique[技术] by 深蓝 (71.8m points)

c# - Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?

In a Web API project I am overriding the normal authentication process to check tokens instead. The code looks something like this:

if ( true ) // validate the token or whatever here
{
    var claims = new List<Claim>();
    claims.Add( new Claim( ClaimTypes.Name, "MyUser" ) );
    claims.Add( new Claim( ClaimTypes.NameIdentifier, "MyUserID" ) );
    claims.Add( new Claim( ClaimTypes.Role, "MyRole" ) );

    var claimsIdentity = new ClaimsIdentity( claims );

    var principal = new ClaimsPrincipal( new[] { claimsIdentity } );
    Thread.CurrentPrincipal = principal;
    HttpContext.Current.User = principal;
}

And then later when I apply the [Authorize] attribute to a controller, it fails to authorize.

Debug code confirms the same behavior:

// ALWAYS FALSE!
if ( HttpContext.Current.User.Identity.IsAuthenticated ) {
    // do something
}

Why does it think the user is not authenticated even though I've constructed a valid ClaimsIdentity and assigned it to the thread?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-17T00:13:31+0000

The problem is because of a breaking change in .Net 4.5. As explained by this article, simply constructing a claims identity no longer makes it IsAuthenticated return true. Instead, you need to pass some string (doesn't matter what) into the constructor.

So this line in the above code:

var claimsIdentity = new ClaimsIdentity( claims );

Becomes this:

// exact string doesn't matter
var claimsIdentity = new ClaimsIdentity( claims, "CustomApiKeyAuth" );

And the problem is solved. Update: see other answer from Leo. The exact AuthenticationType value may or may not be important depending on what else you have in your auth pipeline.

Update 2: as suggested by Robin van der Knaap in the comments, one of the System.Security.Claims.AuthenticationTypes values might be appropriate.

var claimsIdentity = new ClaimsIdentity( claims, AuthenticationTypes.Password );

// and elsewhere in your application...
if (User.Identity.AuthenticationType == AuthenticationTypes.Password) {
    // ...
}

Categories

c# - Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?

c# - Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags