I want to have a (.NET Core) web api site. BEFORE a request comes into my site, it has to pass through a secondary site ("gateway"). The gateway will figure out the claims and create an IClaimsPrinciple with custom claims. As far as I am concerned, the gateway can set those claims by magic. My api will trust them 100%.
The gateway will then make its own request to my api, somehow attaching the claims info. When the request gets to my api site, the claims are already set.
How does the gateway site "attach" the claims to the http request?
An analogous (I think) use case is if IIS is set to windows auth. When I examine the static User object in my (unprotected) controller method, I can see it is a WindowsPrincipal, and its claims are things like AD user groups. My code (as far as I know) didn't do anything to the request to add those claims; it seems like IIS altered the request to attach those claims before it got to my site.
Is what I am asking possible? If so, how do you set the principle on a request? Or am I completely misunderstanding how principles are set? In the Windows Auth example, is it something in my .NET Project that's setting the WindowsPrinciple?
So it turns out it's NOT actually possible. Windows can pass a WindowsPrincipal through IIS using some kind of black magic, but, YOU (or me) can't actually pass a ClaimsPrincipal. You have to construct it, using JWT or some other thing.