Events
Power BI DataViz World Championships
Feb 14, 4 PM - Mar 31, 4 PM
With 4 chances to enter, you could win a conference package and make it to the LIVE Grand Finale in Las Vegas
Learn moreMigrate from ClaimsPrincipal.Current
In ASP.NET 4.x projects, it was common to use ClaimsPrincipal.Current to retrieve the current authenticated user's identity and claims. In ASP.NET Core, this property is no longer set. Code that was depending on it needs to be updated to get the current authenticated user's identity through a different means.
When using ASP.NET Core, the values of both ClaimsPrincipal.Current and Thread.CurrentPrincipal aren't set. These properties both represent static state, which ASP.NET Core generally avoids. Instead, ASP.NET Core uses dependency injection (DI) to provide dependencies such as the current user's identity. Getting the current user's identity from DI is more testable, too, since test identities can be easily injected.
There are several options for retrieving the current authenticated user's ClaimsPrincipal in ASP.NET Core in place of ClaimsPrincipal.Current:
ControllerBase.User. MVC controllers can access the current authenticated user with their User property.
HttpContext.User. Components with access to the current
HttpContext(middleware, for example) can get the current user'sClaimsPrincipalfrom HttpContext.User.Passed in from caller. Libraries without access to the current
HttpContextare often called from controllers or middleware components and can have the current user's identity passed as an argument.IHttpContextAccessor. The project being migrated to ASP.NET Core may be too large to easily pass the current user's identity to all necessary locations. In such cases, IHttpContextAccessor can be used as a workaround.
IHttpContextAccessoris able to access the currentHttpContext(if one exists). If DI is being used, see Access HttpContext in ASP.NET Core. A short-term solution to getting the current user's identity in code that hasn't yet been updated to work with ASP.NET Core's DI-driven architecture would be:- Make
IHttpContextAccessoravailable in the DI container by calling AddHttpContextAccessor inStartup.ConfigureServices. - Get an instance of
IHttpContextAccessorduring startup and store it in a static variable. The instance is made available to code that was previously retrieving the current user from a static property. - Retrieve the current user's
ClaimsPrincipalusingHttpContextAccessor.HttpContext?.User. If this code is used outside of the context of an HTTP request, theHttpContextis null.
- Make
The final option, using an IHttpContextAccessor instance stored in a static variable, is contrary to the ASP.NET Core principle of preferring injected dependencies to static dependencies. Plan to eventually retrieve IHttpContextAccessor instances from DI instead. A static helper can be a useful bridge, though, when migrating large existing ASP.NET apps that use ClaimsPrincipal.Current.
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
ASP.NET Core feedback
ASP.NET Core is an open source project. Select a link to provide feedback:
Additional resources
Training
Module
Secure a .NET web app with the ASP.NET Core Identity framework - Training
Learn how to add authentication and authorization to a .NET web app using the ASP.NET Core Identity framework.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.