注入的IPrincipal是匿名的，但Web API Controller User对象已通过身份验证

Question

I'm writing a Web API 2/MVC5 project and I wanted to unit test some code that had to work with an IPrincipal using ASP.Net Identity. Instead of relying on IPrincipal I wanted to abstract that behind my own IUserService. When I look at my injected IUserService the UserId and UserName are null.

public interface IUserService
{
    string UserId { get;  }
    string UserName { get;  }
}

The concrete implementation being used is:

public class UserService : IUserService
{
    private IPrincipal _principal;

    public UserService(IPrincipal principal)
    {
        _principal = principal;
    }

    public string UserName
    {
        get { return _principal.Identity.GetUserName(); }

    }

    public string UserId
    {
        get { return _principal.Identity.GetUserId(); }

    }
}

This is using Ninject for dependency injection. Inside NinjectWebCommon.cs I have:

private static void RegisterServices(IKernel kernel)
{
   kernel.Bind<IBooksService>().To<BooksService>().InRequestScope();
   kernel.Bind<DbContext>().To<ApplicationDbContext>().InRequestScope();
   kernel.Bind<ApplicationDbContext>().To<ApplicationDbContext>().InRequestScope();
   kernel.Bind<IUserStore<ApplicationUser>>().To<UserStore<ApplicationUser>>().InRequestScope();
   kernel.Bind<UserManager<ApplicationUser>>().To<UserManager<ApplicationUser>>().InRequestScope();
   kernel.Bind<IBookRepository>().To<BookRepository>().InRequestScope();
   kernel.Bind<IUserService>().To<UserService>().InRequestScope();
   kernel.Bind<IPrincipal>().ToMethod(ctx => HttpContext.Current.User);
}

If I create a Func<IPrincipal> and pass ()=>HttpContext.Current.User everything works fine. However, I don't see anyone needing to do this and all of the examples suggest this implementation.

Answer 1

Do you ever authenticate the user? Once the user is authenticated, you need to take care of creating an IIdentity and an IPrincipal . Then, you need to set Thread.CurrentPrincipal with the IPrincipal , and you also need to put the IPrincipal in the current HttpContext .

In order for a GenericIdentity to not be considered anonymous, the Name property must be a non-empty string. In order for a ClaimsIdentity to not be considered anonymous, the AuthenticationType property must be a non-null, non-empty string.

So, generally, you'll do the following:

// Perform authentication, usually using some kind of AuthenticationFilter or
// AuthorizationFilter.
// After authenticating, and still within the Auth*Filter,

// I'm going to use a GenericIdentity, but this can be converted to a 
// ClaimsIdentity if you're using the default Name claim.
IIdentity identity = new GenericIdentity("myUserName", "myAuthenticationType");

// Again, you could use a ClaimsPrincipal, the concept, however, is the same.
IPrincipal principal = new GenericPrincipal(identity, null /* no roles */);
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = principal;

I did see that you mentioned the new ASP.Net Identity model is being used. So you'd definitely use ClaimsIdentity and ClaimsPrincipal in your code.

Answer 2

This is only my guess, but this may be faulty:

kernel.Bind<IUserService>().To<UserService>().InRequestScope();

First use of IUserService can occur before HttpContext.Current.User is set, so instead of current user, you get null , because at the moment UserService was created, HttpContext.Current.User was null . Since you have InRequestScope() defined, first created object of UserService is provided in subsequent uses, so principal is null all the time.

What I would probably do is just use HttpContext directly:

public class HttpContextBasedUserService : IUserService
{
    public string UserName
    {
        get { return HttpContext.Current.User.Identity.GetUserName(); }

    }

    public string UserId
    {
        get { return HttpContext.Current.User.Identity.GetUserId(); }

    }
}

If you want to use IUserService in desktop application, create implementation dedicated for desktop use.