I have a .net core 5.0 application that requires extra certificate validation and based on the certificate I get certain roles in db. I store those as Claims in either Thread.CurrentPrincipal or HttpContext.User. But both of those get their default value back when call gets to Controller.
This is the Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
....
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(
CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.RevocationMode = X509RevocationMode.NoCheck;
options.AllowedCertificateTypes = CertificateTypes.All;
options.Events = new CertificateAuthenticationEvents
{ //container.Resolve<CertificateHandler>();
OnCertificateValidated = context =>
{
if (!ValidateCertificate(context.ClientCertificate))
{
CreateErrorResponse(context, StatusCodes.Status403Forbidden, MaloConstants.NoValidClientCertificateReceived);
return Task.CompletedTask;
}
var certRoles = certificateProcessor.GetRoleIDs(context.ClientCertificate)
var roleClaims = certRoles.Roles.Distinct().OrderBy(r => r)
.Select(s => new Claim(ClaimsHelper.MALoInternalRole, s.ToString(CultureInfo.InvariantCulture), typeof(int).Name)).ToList();
var id = new ClaimsIdentity(roleClaims, AuthenticationType.X509.ToString());
var principal = new ClaimsPrincipal(new[] { id });
Thread.CurrentPrincipal = principal;
context.HttpContext.User = principal;
context.Success();
return Task.CompletedTask;
}
};
});
services.AddCertificateForwarding(options =>
{
options.CertificateHeader = "X-SSL-CERT";
options.HeaderConverter = (headerValue) =>
{
X509Certificate2 clientCertificate = null;
if (!string.IsNullOrWhiteSpace(headerValue))
{
byte[] bytes = StringToByteArray(headerValue);
clientCertificate = new X509Certificate2(bytes);
}
return clientCertificate;
};
});
services.AddControllers().AddNewtonsoftJson(o => o.SerializerSettings.ContractResolver = new DefaultContractResolver());
}
....
private static byte[] StringToByteArray(string hex)
{
int NumberChars = hex.Length;
byte[] bytes = new byte[NumberChars / 2];
for (int i = 0; i < NumberChars; i += 2)
{
bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
}
return bytes;
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
var logger = new NLogger();
logger.Info("Application Configure started");
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCertificateForwarding();
app.UseAuthentication();
app.UseAuthorization();
app.UseMiddleware<ContentNegociationHandler>();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
logger.Info("Application Configure completed");
}
}
This is Program.cs
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureLogging((hostingContext, logging) =>
{
logging.ClearProviders();
logging.SetMinimumLevel(LogLevel.Trace);
})
.UseNLog()
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
webBuilder.ConfigureKestrel(options =>
{
options.ConfigureHttpsDefaults(o =>
o.ClientCertificateMode =
ClientCertificateMode.RequireCertificate);
});
});
}
Is there a reason why the claims are not stored? is there a workaround?
Edit: Image of setting the Thread.CurrentPrincipal
Before. Image of the value of Thread.CurrentPrincipal
in controller
After
Found the answer: You can set the new identity like this:
And then I can retrieve the new principal in controller by using: