I am examining and stepping through the example AAL - Native Application to REST service - Authentication via Browser Dialog . In ShipperServiceWebAPI\Global.asax.cs, where the the Thread.CurrentPrincipal is set (~line 134), I added a Debug.Assert that always fails, because the returned claims principal's identity.name is null:
Thread.CurrentPrincipal = tokenHandler.ValidateToken(token, validationParameters); Debug.Assert(!string.IsNullOrEmpty(Thread.CurrentPrincipal.Identity.Name));
As can can be seen in this screen shot. The name claimis supplied, as expected.
Net effect is that DictionaryShipmentRepository.GetCurrentOwner() always returns null.
Should the LocalSTS be supplying a NameIdentifier claim instead of (or in conjunction with) the Name claim? Or is this a bug in the JWTSecurityTokenHandler?
Also no tests in the example code? Seriously??