Error Solved: MVC Antiforgery Tokens and Claims Identity Issue

While working with MVC application, I came across an interesting thing and got something to learn from it so thought to share.

Scenario

Typically when you implement any MVC web application, you want to implement some security features in it and hence use of anti-forgery token is one of the approach I was trying to implement in one of my MVC web application.

How it works?

Internally how it works is, in traditional web application which are not claims aware - it simply usesUser.Identity.Name as anti-forgery token to validate form submitted.

But when we try the same with claims aware applications– it throws an error.

Why?

Because now it tries to use the claims of type NameIdentifier and IdentityProvider (by default).

Error:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' was not present on the provided ClaimsIdentity.

Solution

Either your claims provider should send you the claims of type NameIdentifier as well as IdentityProvider , but in my case I was not having both claims with me.

So I had to use the following workaround to resolve this issue:

  • Add the following line in the App_Start method of the application.
    1. AntiForgeryConfig.UniqueClaimTypeIdentifier = "http://your-sts.net/user/EmailAddress";  
  • As the name suggest - it makes application aware that the unique claim type provider is EmailAddress and not the default one.

  • After this change , you can see the _RequestVerificationToken on the details page source information.

Conclusion

This Error can be solved by letting application know that which is the claim type you want to use as unique identifier. In my case I am using EmailAddress because I had this type of claim available with me so you can also use any other claim type which your sts is providing you.