BootstrapContext is null on ClaimsIdentity

Question

I have created a new ASP.NET MVC application with .NET 4.5. I have successfully set up authentication with an STS. The authentication flow is working fine and I am able to get the ClaimsIdentity, containing the desired claims, on Thread.CurrentPrincipal.

Now I need the bootstrap token to secure the calls to my service layer. I have set the saveBootstrapContext to true on the identityConfiguration element.

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true">

However, the BootstrapContext property on the ClaimsIdentity is always null.

var identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
var context = identity.BootstrapContext; // context is always null

Am I missing anything here? This was supposed to be straightforward :(

Answer 1

Solved it by these:

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true" />
</system.identityModel>

Also need to set TokenValidationParameters.SaveSigninToken, which is distinct from JwtBearerOptions.SaveTokens:

app.UseWindowsAzureActiveDirectoryBearerAuthentication(
    new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
        Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
        TokenValidationParameters = new TokenValidationParameters {
            SaveSigninToken = true,               
            ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
        }
    }
);

Answer 2

I ran into this problem when hosting in IIS Express. It turns out that the issue was my browser - I had not closed all of my browser windows or cleared cookies, so the SessionSecurityToken was not being recreated with the new setting, even though the server had been restarted (the existing FedAuth cookie was still being sent from the browser).

Once I forced a re-authentication by closing all browser windows, restarting the browser and performing my request again, the BootstrapContext was present.

Answer 3

If you're using a message handler to manually validate the token using the JwtSecurityTokenHandler to extract a claims principal and attach that to the current Thread, as described here in Using the JWT handler for Implementing “Poor Man”’s Delegation/ActAs, when you're validating the token using JwtSecurityTokenHandler.ValidateToken(), one of the settings on TokenValidationParameters is SaveBootstrapContext, setting that true does the trick.