Reputation: 1890
UniqueClaimTypeIdentifier what exactly is happening?
Im doing claims based user role authentication. For this authentication i tested the following:
var identity = new ClaimsIdentity(new[] {
new Claim(ClaimTypes.Name, name),
new Claim(ClaimTypes.Email, email),
new Claim(ClaimTypes.StreetAddress, Address),
new Claim(ClaimTypes.Role, "Admin")
},
My authentication works just fine, but the i realized that i should implement some kind of security in order to avoid that the user can tamper the set role.
Therefore i stumbled across this, that is supposed to be added in the Global.asax:
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;
I can't seem to exactly understand what this code above does? Am i right, if i say that it gives the cookie, that the user holds, a unique token made from the email, that then is used to validate the legitimacy of the user by the system?
Im new to this, by the way, so go easy on me :-)
Upvotes: 0
Views: 383
Answers (2)
Reputation: 356
Old post, but might be helpful for someone..
"UniqueClaimTypeIdentifier" refers to a property within the AntiForgeryToken mechanism that specifies the specific claim type used to uniquely identify a user within a claims-based identity system, essentially defining which claim within a user's identity should be used to verify their authenticity for security purposes like anti-forgery token validation. It is a string value that indicates which claim type should be considered as the primary identifier for a use.
You are using Email for this.
Upvotes: 0
Reputation: 6649
I'm not quite sure what you're meaning by your question, but let me try to clear out a few things.
First, let's talk about your AntiForgeryConfig line of code. What it does is configure the AntiForgeryToken to use the Email claim to identify the request (creates a token based on the email). The AntiForgeryToken allows you to trust a request and prevent Cross-Site Request Forgery (CSRF).
It is implemented in 2 parts. First you need to add the AntiForgeryToken to the form (@Html.AntiForgeryToken). Second, you need to validate the token in your controllers' actions (ValidateAntiForgeryTokenAttribute).
Here is a link to explain what CSRF
Here is a link with up to date code how to implement it
As a side note, you said ... to avoid that the user can tamper the set role. AntiForgeryToken doesn't do anything about tampering roles. Tampering roles would more related to your authentication process.
Upvotes: 0
Related Questions
- What's the role of the ClaimsPrincipal, why does it have multiple Identities?
- When claims are available
- What is the claims in ASP .NET Identity
- ASP.NET Claim NameIdentifier Id gets convert error
- ASP.NET Identity and validation of a custom claim
- ASP.NET Identity and Claims
- How AspNet Identity generates user claims
- IdentityServer and RessourceClaims
- ASP.NET Identity Claims
- ASP.NET Identity and Claim-based