.net core 5.0 CurrentPrincipal resets value

140 views Asked by At

I have a .net core 5.0 application that requires extra certificate validation and based on the certificate I get certain roles in db. I store those as Claims in either Thread.CurrentPrincipal or HttpContext.User. But both of those get their default value back when call gets to Controller.

This is the Startup.cs

public class Startup
{
    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

    public IConfiguration Configuration { get; }

    ....

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddAuthentication(
        CertificateAuthenticationDefaults.AuthenticationScheme)
        .AddCertificate(options =>
        {
            options.RevocationMode = X509RevocationMode.NoCheck;
            options.AllowedCertificateTypes = CertificateTypes.All;
            options.Events = new CertificateAuthenticationEvents
            { //container.Resolve<CertificateHandler>();
                OnCertificateValidated = context =>
                {
                    if (!ValidateCertificate(context.ClientCertificate))
                    {
                        CreateErrorResponse(context, StatusCodes.Status403Forbidden, MaloConstants.NoValidClientCertificateReceived);
                        return Task.CompletedTask;
                    }

                    var certRoles = certificateProcessor.GetRoleIDs(context.ClientCertificate)
                    var roleClaims = certRoles.Roles.Distinct().OrderBy(r => r)
                        .Select(s => new Claim(ClaimsHelper.MALoInternalRole, s.ToString(CultureInfo.InvariantCulture), typeof(int).Name)).ToList();
                    var id = new ClaimsIdentity(roleClaims, AuthenticationType.X509.ToString());

                    var principal = new ClaimsPrincipal(new[] { id });

                    Thread.CurrentPrincipal = principal;
                    context.HttpContext.User = principal;
                    context.Success();
                    return Task.CompletedTask;
                }
            };
        });

        services.AddCertificateForwarding(options =>
        {
            options.CertificateHeader = "X-SSL-CERT";
            options.HeaderConverter = (headerValue) =>
            {
                X509Certificate2 clientCertificate = null;

                if (!string.IsNullOrWhiteSpace(headerValue))
                {
                    byte[] bytes = StringToByteArray(headerValue);
                    clientCertificate = new X509Certificate2(bytes);
                }

                return clientCertificate;
            };
        });

        services.AddControllers().AddNewtonsoftJson(o => o.SerializerSettings.ContractResolver = new DefaultContractResolver());
    }
    ....
    private static byte[] StringToByteArray(string hex)
    {
        int NumberChars = hex.Length;
        byte[] bytes = new byte[NumberChars / 2];

        for (int i = 0; i < NumberChars; i += 2)
        {
            bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
        }

        return bytes;
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        var logger = new NLogger();
        logger.Info("Application Configure started");
        
        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseCertificateForwarding();
        app.UseAuthentication();

        app.UseAuthorization();
        app.UseMiddleware<ContentNegociationHandler>();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });

        logger.Info("Application Configure completed");
    }
}

This is Program.cs

public class Program
{
    public static void Main(string[] args)
    {
        CreateHostBuilder(args).Build().Run();
    }

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureLogging((hostingContext, logging) =>
            {
                logging.ClearProviders();
                logging.SetMinimumLevel(LogLevel.Trace);
            })
            .UseNLog()
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
                webBuilder.ConfigureKestrel(options =>
                {
                    options.ConfigureHttpsDefaults(o =>
                        o.ClientCertificateMode =
                            ClientCertificateMode.RequireCertificate);
                });
            });
}

Is there a reason why the claims are not stored? is there a workaround?

Edit: Image of setting the Thread.CurrentPrincipal Before. Image of the value of Thread.CurrentPrincipal in controller After

1

There are 1 answers

0
Calin956 On

Found the answer: You can set the new identity like this:

context.Principal = principal;

And then I can retrieve the new principal in controller by using:

ControllerContext.HttpContext.User;