'.../nameidentifier' was not present on the provided ClaimsIdentity

Question

I am using Identityserver3 as the authorization server for an MVC application. Therefore, my Startup class is like this:

public void Configuration(IAppBuilder app)
{

    app.UseExternalSignInCookie();
    JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookies"
    });
    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        Authority = "http://localhost:5000/",
        ClientId = "mvc",
        RedirectUri = "http://localhost:12262/",
        ResponseType = "id_token",
        UseTokenLifetime = false,
        SignInAsAuthenticationType = "Cookies"
    });
}

This is my IdentityUser subclass:

public class ApplicationUser : IdentityUser
{
    public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
    {

        var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);
        userIdentity.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", this.Email));
        userIdentity.AddClaim(
            new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider",
                this.Email));

        return userIdentity;
    }

    public UserType UserType { get; set; }
    ....
}

This is my Global.asax.cs:

protected void Application_Start()
{
    AreaRegistration.RegisterAllAreas();

    FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
    RouteConfig.RegisterRoutes(RouteTable.Routes);
    BundleConfig.RegisterBundles(BundleTable.Bundles);

    AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
}

But in my Account/Register view at the line containing @Html.AntiForgeryToken() I receive this error:

A claim of type

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' was not present on the provided ClaimsIdentity.

I have seen some questions on SO with the similar problem (maybe not using Identityserver3 anywhere) but their solutions seems not to work, at least the way I'm using them.

Answer 1

IMHO I believe the problem is that the claims is not added in the right place. But to confirm this I need some feedback. Are you using Microsoft.AspNet.Identity* (NuGet packages) in connection with Identity Server? Are you creating the users by code or reading from Database?

For example I used AspNet.Identity with IdentityServer3 and to add a claims for each user you can modify the user service GetClaimsFromAccount method like the folllowing:

using System.Collections.Generic;
using System.Data.Entity;
using System.Linq;
using System.Threading.Tasks;
using IdentityServer3.Core;
using IdentityServer3.AspNetIdentity;
using IdentityServer3.Core.Configuration;
using IdentityServer3.Core.Services;

namespace ..... {

public class UserService : AspNetIdentityUserService<IdentityUser, string>
{
    public UserService(UserManager userMgr) : base(userMgr)
    {
    }

    protected override async Task<IEnumerable<System.Security.Claims.Claim>> GetClaimsFromAccount(IdentityUser user)
    {
        var claims = (await base.GetClaimsFromAccount(user)).ToList();

        // to make sure the email is in the claims
        if (claims.Any(c=>c.Type == Constants.ClaimTypes.Email) && !string.IsNullOrWhiteSpace(user.Email))
        {
            claims.Add(.....);
        }

        return claims;
    }
}
....
}

Notice that identityServer3.core comes with constants containing the claims type (Constants.Claimtypes.Email).

Hope this helps a little :)