BootstrapContext is null on ClaimsIdentity

2019-04-08 07:51发布

问题:

I have created a new ASP.NET MVC application with .NET 4.5. I have successfully set up authentication with an STS. The authentication flow is working fine and I am able to get the ClaimsIdentity, containing the desired claims, on Thread.CurrentPrincipal.

Now I need the bootstrap token to secure the calls to my service layer. I have set the saveBootstrapContext to true on the identityConfiguration element.

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true">

However, the BootstrapContext property on the ClaimsIdentity is always null.

var identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
var context = identity.BootstrapContext; // context is always null

Am I missing anything here? This was supposed to be straightforward :(

----------- Resolved ------------

This issue is resolved after I rebooted my system. Note that it did not resolved after an iisreset. Later I changed the configuration to use Microsoft.IdentityModel instead of System.IdentityModel. I was able to repro this behavior. After another reboot, I was able to get the bootstrap token once again. Anyone else experiencing same behavior?

回答1:

Solved it by these:

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true" />
</system.identityModel>

Also need to set TokenValidationParameters.SaveSigninToken, which is distinct from JwtBearerOptions.SaveTokens:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
        TokenValidationParameters = new TokenValidationParameters {
            SaveSigninToken = true,               
            ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
        }
    }
);


回答2:

I ran into this problem when hosting in IIS Express. It turns out that the issue was my browser - I had not closed all of my browser windows or cleared cookies, so the SessionSecurityToken was not being recreated with the new setting, even though the server had been restarted (the existing FedAuth cookie was still being sent from the browser).

Once I forced a re-authentication by closing all browser windows, restarting the browser and performing my request again, the BootstrapContext was present.



回答3:

If you're using a message handler to manually validate the token using the JwtSecurityTokenHandler to extract a claims principal and attach that to the current Thread, as described here in Using the JWT handler for Implementing “Poor Man”’s Delegation/ActAs, when you're validating the token using JwtSecurityTokenHandler.ValidateToken(), one of the settings on TokenValidationParameters is SaveBootstrapContext, setting that true does the trick.