Im doing claims based user role authentication. For this authentication i tested the following:
var identity = new ClaimsIdentity(new[] {
new Claim(ClaimTypes.Name, name),
new Claim(ClaimTypes.Email, email),
new Claim(ClaimTypes.StreetAddress, Address),
new Claim(ClaimTypes.Role, "Admin")
},
My authentication works just fine, but the i realized that i should implement some kind of security in order to avoid that the user can tamper the set role.
Therefore i stumbled across this, that is supposed to be added in the Global.asax:
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Email;
I can't seem to exactly understand what this code above does? Am i right, if i say that it gives the cookie, that the user holds, a unique token made from the email, that then is used to validate the legitimacy of the user by the system?
Im new to this, by the way, so go easy on me :-)
I'm not quite sure what you're meaning by your question, but let me try to clear out a few things.
First, let's talk about your AntiForgeryConfig line of code. What it does is configure the AntiForgeryToken to use the Email claim to identify the request (creates a token based on the email). The AntiForgeryToken allows you to trust a request and prevent Cross-Site Request Forgery (CSRF).
It is implemented in 2 parts. First you need to add the AntiForgeryToken to the form (@Html.AntiForgeryToken). Second, you need to validate the token in your controllers' actions (ValidateAntiForgeryTokenAttribute).
Here is a link to explain what CSRF
Here is a link with up to date code how to implement it
As a side note, you said ... to avoid that the user can tamper the set role. AntiForgeryToken doesn't do anything about tampering roles. Tampering roles would more related to your authentication process.