While working with MVC application , I came across an interesting thing and got something to learn from it so thought to share.
Scenario :
Typically when you implement any MVC web application , you
want to implement some security features in it and hence use
of anti-forgery token is one of the approach I was trying to implement in
one of my MVC web application.
How it works?
Internally how it works is , in traditional web application
which are not claims aware – it simply uses User.Identity.Name as
anti-forgery token to validate form submitted.
But when we try the same with claims aware applications– it throws an error.
Why?
Because now it tries to use the claims of type NameIdentifier
and IdentityProvider (by default).
Error:
‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
was not present on the provided ClaimsIdentity.
Solution:
Either your claims provider should send you the claims of
type NameIdentifier as well as IdentityProvider , but in my case I was not
having both claims with me.
So I had to use the following workaround to resolve
this issue -
Add the following line in the App_Start method of the
application.
As the name suggest - it makes application aware that the
unique claim type provider is EmailAddress and not the default one.
After this change , you can see the
__RequestVerificationToken on the details page source information.
Conclusion:
This Error can be solved by letting application know that which is the claim type you want to use as unique identifier. In my case I am using EmailAddress because I had this type of claim available with me so you can also use any other claim type which your sts is providing you.