Shared Cookie between ASP.NET and ASP.NET Core not reading custom claims

[Schoof-T]

Hi

We have set up cookie sharing between my ASP.NET and ASP.NET Core application. I did this using the guidance found here:

• https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-8.0#share-authentication-cookies-between-aspnet-4x-and-aspnet-core-apps
• Share authentication cookies between ASP.NET 4.x and ASP.NET Core apps dotnet/AspNetCore.Docs#21987
• Cookie compatibility between OWIN and Microsoft.AspNetCore.Authentication #435

This all works great, but we have now noticed that custom claims we are adding in our ASP.NET Core application are not being read/remembered in the ASP.NET application.

We are adding the custom claim in ASP.NET Core as follows:

        .AddOpenIdConnect("oidc", options =>
        {
           ....
            options.Events = new OpenIdConnectEvents
            {
                OnTokenValidated = async (ctx) =>
                {
                    var claims = new List<Claim>();
                    var claim = new Claim("NEWCLAIM", "TEST");
                    claims.Add(claim);

                    var appIdentity = new ClaimsIdentity(claims);
                    ctx.Principal.AddIdentity(appIdentity);

                    return;
                }
            };
        });

And in ASP.NET we are reading the claims as follows:

            var principal = Thread.CurrentPrincipal as ClaimsPrincipal;
            var identity =  principal?.Identity as ClaimsIdentity;
            var claim = identity?.Claims.FirstOrDefault(x => x.Type == "NEWCLAIM");

However, the 'NEWCLAIM' is missing. All the other default claims we get from the identity provider are there.

Any ideas, something we might be missing?

Thanks!

[Tratcher]

You're adding the new claim to a second identity, but you're only searching the first identity for claims later. Try searching ClaimsPrincipal.Claims to see claims from all identities.

[Schoof-T]

You're adding the new claim to a second identity, but you're only searching the first identity for claims later. Try searching ClaimsPrincipal.Claims to see claims from all identities.

Unfortunately it's not in there either.

            var principal = Thread.CurrentPrincipal as ClaimsPrincipal;
            var claim = principal ?.Claims.FirstOrDefault(x => x.Type == "NEWCLAIM");

I also only see one identity.

[Schoof-T]

It seems that when I add the claim directly to the current identity, instead of adding a new identity to the principal, it does work.

I'm not sure why in all the microsoft docs I was finding to add a second identity then. I even found articles stating that adding directly to the current identity doesn't even work.

        .AddOpenIdConnect("oidc", options =>
        {
           ....
            options.Events = new OpenIdConnectEvents
            {
                OnTokenValidated = async (ctx) =>
                {
                    var claims = new List<Claim>();
                    var claim = new Claim("NEWCLAIM", "TEST");
                    claims.Add(claim);

                    (ctx.Principal.Identity as ClaimsIdentity).AddClaims(claims);

                    return;
                }
            };
        });

I also found documentation from Microsoft saying I should be adding custom claims through the IClaimsTransformation.

public class MyClaimsTransformation() : IClaimsTransformation
{
    public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        if (!principal.HasClaim(claim => claim.Type == "NEWCLAIM"))
        {
            ((ClaimsIdentity)principal.Identity).AddClaim(new Claim("NEWCLAIM", "TEST"));
        }

        return principal;
    }
}

I did try that, but that doesn't work in either cases. The custom claim is not persisted. It's not even persisted through different calls to the TransformAsync method.

I feel like I'm mising something, or doing something wrong here. But I can't put my finger on it.

[Tratcher]

Ah, the old interop serializer only supports one identity, so that explains that part.
https://github.com/dotnet/aspnetcore/blob/9f359891a031f52b597da1799aa0813b19dbc03c/src/Security/Interop/src/AspNetTicketSerializer.cs#L43-L57

[Schoof-T]

Great! So it's safe to use it like I'm using it now then?