Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Anti Forgery Claim Extractor: option to define claim name
See original GitHub issueBackground and Motivation
In a project that uses anti forgery features and 3rd party authentication provider, I found you can get anti forgery token validation failures in certain scenarios (auth provider does not use sub, nameidentifier or upn claims, whilst the iat claim value has changed).
If we could configure the name(s) of claims we want to use in the DefaultClaimUidExtractor class, we could fix the issue without having to change the configuration of the auth provider.
Proposed API
services.AddAntiForgery(options =>
options.UidClaimNames = new string[] { "myUniqueUserClaim" }
);
Alternative Designs
Tell the framework that there is an iat claim, then update DefaultClaimUidExtractor to not include the claim in the extraction.
services.AddAntiForgery(options =>
options.IatClaims = new string[] { "iat" }
);
Risks
Developers could configure a claim that is not unique to the user.
Issue Analytics
- State:
- Created 8 months ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Triage: This API would be a nice to have given more interest in it. Anyone interested in seeing this can give the issue a thumbs up to help us prioritize.
Nice, that would sort it. I would definitely forget why that middleware exists and delete it in a couple of years though 😜 We’re getting the auth service admins to add/remove claims, saves us a few lines of code