Reputation: 2714
Thread.CurrentPrincipal is authenticated but ClaimsPrincipal.Current is not
I'm using Claims based Authorization in my WebApi project and have a method where I check if the current Identity is authenticated. When I use ClaimsPrincipal.Current the current Identity is not authenticated but when I use Thread.CurrentPrincipal it is.
ClaimsPrincipal.Current.Identity.IsAuthenticated; //False
Thread.CurrentPrincipal.Identity.IsAuthenticated; //True
This seems strange especially since the MSDN says ClaimsPrincipal.Current just returns Thread.CurrentPrincipal:
Remarks
By default, Thread.CurrentPrincipal is returned. You can change this behavior by setting the ClaimsPrincipalSelector property to specify a delegate to be called to determine the current principal.
Can someone please explain me why ClaimsPrincipal is not authenticated, while both, in theory, contain the same Identity?
Upvotes: 7
Views: 15613
Answers (1)
Reputation: 239714
In short, the documentation is incorrect to say that it returns Thread.CurrentPrincipal by default.
What it actually returns is a ClaimsPrincipal wrapping Thread.CurrentPrincipal (if it's not, actually, already a ClaimsPrincipal), using this constructor:
public ClaimsPrincipal(IPrincipal principal)
{
this.m_version = "1.0";
this.m_identities = new List<ClaimsIdentity>();
if (principal == null)
{
throw new ArgumentNullException("principal");
}
ClaimsPrincipal principal2 = principal as ClaimsPrincipal;
if (principal2 == null)
{
this.m_identities.Add(new ClaimsIdentity(principal.Identity));
}
else if (principal2.Identities != null)
{
this.m_identities.AddRange(principal2.Identities);
}
}
This, in turn, as you can hopefully see, is returning a ClaimsIdentity that wraps the principal's identity (again, if it's not, actually, already a ClaimsIdentity).
In constructing the ClaimsIdentity, the only place I can see where it will end up not setting the authentication type (and thus creating an identity that's not authenticated) is here:
if(identity is WindowsIdentity)
{
try
{
this.m_authenticationType = identity.AuthenticationType;
}
catch(UnauthorizedAccessException)
{
this.m_authenticationType = null;
}
}
So, if the identity you access via Thread.CurrentPrincipal.Identity is actually a WindowsIdentity instance, and in the context in which you're running you've got restricted permissions, the constructed ClaimsIdentity instance will have IsAuthenticated as false.
Upvotes: 10
Related Questions
- Why ClaimsPrincipal.Current is returned null even when the user is authenticated?
- ASP.NET Core Identity ClaimsPrincipal appears empty
- ClaimsPrincipal does not work in ASP .Net core MVC web app
- System.Security.Claims.ClaimsPrincipal.Current (and HttpContext.Current.User) has different claims with the exact same request depending on caller
- Why is my ClaimsIdentity IsAuthenticated always false (for web api Authorize filter)?
- Thread.CurrentPrincipal is Reset/ClaimsPrincipal Lost when retrieving from ClaimsPrincipal.Current
- .Net Claims Auth -- Unable to set current principal
- CurrentPrincipal/User is empty in Web API service
- Thread.CurrentPrincipal claims incorrectly to be anynomous
- Thread.CurrentPrincipal cannot be set to Forms Authentication principal