WindowsIdentity.RunImpersonated sending wrong credentials

[koikin]

Hi all!
I'm using windows authentication to impersonate my request to the api like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddRazorPages();
    services.AddServerSideBlazor();
    services.AddHttpClient<ApiRequests>(c =>
    {
        c.BaseAddress = new Uri(Configuration.GetSection("ApiUrl").Value);
        c.DefaultRequestHeaders.Add("Accept", "application/vnd.github.v3+json");
        c.DefaultRequestHeaders.Add("User-Agent", "HttpClientFactory-Sample");
    })
    .ConfigurePrimaryHttpMessageHandler(() =>
    {
        return new HttpClientHandler()
        {
            UseDefaultCredentials = true
        };
    });

    services.AddHttpContextAccessor();
    services.AddAuthentication();
}

On the API side I just get the identity with HttpContextAccessor.

public int GetUser()
{
    return _context.User.SingleOrDefault(e => e.Name == _httpContextAccessor.HttpContext.User.Identity.Name);
}

This works fine as long as only one user is signed in and makes the calls to the API.
But when two users are making calls.
User 1 is sometime receive user 1 data and sometime user 2 data same with User 2.
Debugging inside RunImpersonated with WindowsIdentity.GetCurrent() shows always the correct user.
But the API is not always receiving the correct user.

public async Task<User> GetUser()
{
    return await WindowsIdentity.RunImpersonated(_identity.AccessToken, async () =>
    {
        var user = new User();
        string url = "api/User";
    
        var response = await client.GetAsync(url);
        if (response.IsSuccessStatusCode)
        {
            string responseStream = await response.Content.ReadAsStringAsync();
            user = JsonConvert.DeserializeObject<User>(responseStream);
        }
        return user;
    });
}

Creating and disposing HttpClient for each api call works as expected but not recommended.

using (var client = new HttpClient(new HttpClientHandler() { UseDefaultCredentials = true }))
{
    client.DefaultRequestHeaders.Add("Accept", "application/vnd.github.v3+json");
    client.DefaultRequestHeaders.Add("User-Agent", "HttpClientFactory-Sample");

    var response = await client.GetAsync(url);
    if (response.IsSuccessStatusCode)
    {
        string responseStream = await response.Content.ReadAsStringAsync();
        user = JsonConvert.DeserializeObject<User>(responseStream);
    }
};

I'm running the api and blazor web on the same server but on different app pool.
Both are using .NetCore 3.1
Is this a bug or am I doing it the wrong way?

[danmoseley]

@scalablecory any thoughts about which area this should go?

[scalablecory]

@koikin can you please try with a .NET 5 preview? This was fixed in #303. Thanks.

Tagging subscribers to this area: @dotnet/ncl
Notify danmosemsft if you want to be subscribed.

[scalablecory]

Duplicate of #30307

[koikin]

Thanks for the quick reply! @scalablecory

I upgraded to v5.0.0-preview.6

And got the following error when impersonating with
_identity = (WindowsIdentity)httpContextAccessor.HttpContext.User.Identity;
or
_identity = WindowsIdentity.GetCurrent()

Error: System.ComponentModel.Win32Exception (0x80090308): The token supplied to the function is invalid

Any ideas?

[scalablecory]

@koikin can you give a full stack trace? I can't reproduce that.

[koikin]

@scalablecory

blazor.server.js:19 [2020-06-26T12:51:42.778Z] Error: System.ComponentModel.Win32Exception (0x80090308): The token supplied to the function is invalid
   at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatusPal& statusCode)
   at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
   at System.Net.Http.AuthenticationHelper.SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean isProxyAuth, HttpConnection connection, HttpConnectionPool connectionPool, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.AuthenticationHelper.SendWithAuthAsync(HttpRequestMessage request, Uri authUri, ICredentials credentials, Boolean preAuthenticate, Boolean isProxyAuth, Boolean doRequestAuth, HttpConnectionPool pool, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts, CancellationToken callerToken, Int64 timeoutTime)
   at AppDeployBlazor.StaticCalls.ApiRequests.<>c__DisplayClass6_0.<<MakeRequest>b__0>d.MoveNext() in C:\Repositories\Git\src\AppDeplayBlazor\StaticCalls\ApiRequests.cs:line 48
--- End of stack trace from previous location ---
   at AppDeployBlazor.StaticCalls.ApiRequests.MakeRequest(String url) in C:\Repositories\Git\src\AppDeplayBlazor\StaticCalls\ApiRequests.cs:line 46
   at AppDeployBlazor.StaticCalls.ApiRequests.GetPinnedCustomer() in C:\Repositories\Git\src\AppDeplayBlazor\StaticCalls\ApiRequests.cs:line 128
   at AppDeployBlazor.Components.IndexLogic.OnInitializedAsync() in C:\Repositories\Git\src\AppDeplayBlazor\Data\IndexLogic.cs:line 43
   at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync()
   at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(Task taskToHandle)