{"id":440,"date":"2009-06-29T13:39:00","date_gmt":"2009-06-29T22:39:00","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/2009\/06\/29\/i-made-you-a-token-but-i-eated-it-or-how-to-debug-authentication-issues-in-asp-net-with-securitytokenvisualizercontrol\/"},"modified":"2009-06-29T13:39:00","modified_gmt":"2009-06-29T22:39:00","slug":"i-made-you-a-token-but-i-eated-it-or-how-to-debug-authentication-issues-in-asp-net-with-securitytokenvisualizercontrol","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2009\/06\/29\/i-made-you-a-token-but-i-eated-it-or-how-to-debug-authentication-issues-in-asp-net-with-securitytokenvisualizercontrol\/","title":{"rendered":"I made you a token\u2026 but I eated it: or how to debug authentication issues in ASP.NET with SecurityTokenVisualizerControl"},"content":{"rendered":"
digg_url = “http:\/\/blogs.msdn.com\/vbertocci\/archive\/2009\/06\/29\/i-made-you-a-token-but-i-eated-it-or-how-to-debug-authentication-issues-in-asp-net-with-securitytokenvisualizercontrol.aspx”;digg_title = “I made you a token\u2026 but I eated it: or how to debug authentication issues in ASP.NET with SecurityTokenVisualizerControl”;digg_bgcolor = “#FFFFFF”;digg_skin = “normal”;digg_url = undefined;digg_title = undefined;digg_bgcolor = undefined;digg_skin = undefined;<\/div>\n

(in case Internet memes are not your thing: before you flame me for poor grammar, know that the \u201cI eated it\u201d is intentional: see <\/font>http:\/\/icanhascheezburger.com\/2007\/01\/15\/i-made-you-a-cookie\/<\/font><\/a>)<\/font><\/p>\n

Another week, another sample ASP.NET control for identity<\/a>!<\/p>\n

There are moments in the development of claims-based websites in which you want to take a good look at the token that you are getting from the STS: if your pages are not behaving in the way you\u2019d expect, you never really know if that\u2019s because you are not getting the claims you were expecting or if you are not processing them in the right way. That\u2019s just one example of why you\u2019d want to inspect the identity info in the current context.<\/p>\n

Normally you have two strategies for inspecting the content of the current context:<\/p>\n

    \n
  1. You write some debugging\/tracing code<\/strong>. You know, the classic foreach on all the claims in the current IClaimsIdentity that you see so often in the samples. The approach works, but it is pretty repetitive (it\u2019s code that you rewrite almost verbatim across different projects) and it\u2019s usually not very exhaustive (maybe you print the claim values but it turns out that the issue was in the IntendedAudience).<\/li>\n
  2. You attach a debugger to the web app<\/strong>. This works very well, however it implies that the system allows you to do so and that\u2019s not always the case.<\/li>\n<\/ol>\n

    Today\u2019s sample control provides you with a third way. Just drag the SecurityTokenVisualizerControl (STVC)<\/a> on your page, you\u2019ll obtain a fairly comprehensive view of what\u2019s going on in your identity context in nice tabular format, collapsible in a tiny icon so that it does not interfere too much with the rest of the page. The STVC contains code that you would otherwise write yourself in 1, and at the same time it almost as exhaustive as if you\u2019d explore the current context using 2: all this without leaving the browser.<\/p>\n

    Below there\u2019s a copy of the documentation accompanying the sample package<\/a>. The control is extremely easy to use: as usual, remember that this is just sample code and you should be careful in using it. This time there are some issues that we felt we should highlight: you will find them in the summary section. That said, have fun!<\/p>\n

    Kudos to the Southworks team (Ariel<\/a>, Matias<\/a>, Tim<\/a>, Diego<\/a>, Fernando) who helped us on this, whipping the entire thing in just a week!<\/p>\n

    Overview<\/h1>\n

    The Security Token Visualizer control (STVC) is a simple ASP.NET server control which displays in a compact layout useful information about claims-based identity in a web site secured with the Geneva Framework.<\/p>\n

    \"8de75977-9c90-4df4-b0c1-5daa603e3d38\"
    Once expanded, the STVC displays information about the current identity context<\/i><\/p>\n

    The STVC is intended to be a debugging aid, which helps you to inspect what identity info you are receiving from the STS without the need for attaching a debugger to your website. Furthermore, STVC spares you the repetitive task of writing code that retrieves and render claim values or other info about the incoming security token that are typically needed in the development & testing phases of your application life cycle.<\/p>\n

    The Control in Action in the Sample Website<\/h1>\n

    \"779d5053-f24d-4a79-915e-161317fc6964\"
    The STVC in Visual Studio\u2019s toolbox<\/i><\/p>\n

    The sample package installs the STVC in your Visual Studio toolbox, under the DPE Identity Samples<\/b> tab.<\/p>\n

     <\/p>\n

    \"44d23289-9242-4928-b2aa-b0ef3c00520c\"
    The Default.aspx and Public.aspx pages in the sample solution<\/i><\/p>\n

    The package includes a sample solution which is used for demonstrating how the control works, however its usage is so simple that you can try it on any web page from a web site protected with the Geneva Framework: just drag it on the page and you are good to go. At design time the control appears as a red token: at run time the control will maintain its design appearance, however it will also display a \u201c+\u201d sing on its left that, when clicked, will expand the control in order to show various tables containing the identity information being tracked. The only property exposed by the control, Font<\/b>, influences which font settings will be used for displaying information when expanded.<\/p>\n

    Figure 3 shows a couple of simple pages from the sample solution. Default.aspx can be reached only by users who successfully authenticated with a certain STS (included in the solution). Public.aspx can instead be reached by unauthenticated users. Both pages carry an instance of STVC.<\/p>\n

    Let us start with Public.aspx: open a browser and navigate to https:\/\/localhost\/FabrikamAirlinesWebSite\/Public.aspx<\/a>. <\/p>\n

     <\/p>\n

    \"f7434e57-2eb1-410f-8eb2-50870b5e1213\"
    STVC on a page displayed by an unauthenticated user<\/i><\/p>\n

    Once expanded, the control will simply display a warning that the current user is not authenticated, or his or her identity is not based on claims. <\/p>\n

    Let us now try with Default.aspx: navigate to https:\/\/localhost\/FabrikamAirlinesWebSite<\/a>. You will be immediately redirected to a development STS, as shown below.<\/p>\n

    \"1bd8c110-210d-4633-9758-069320386c94\"
    The credential gathering page at the local development STS<\/i><\/p>\n

    Just hit submit, you will land on Default.aspx. If you expand the control, you will now see the list of identity properties in the current context.<\/p>\n

    \"6bb89a66-6a8f-4bbe-8ea5-a5a95f8a30b7\"
    STVC fully populated & expanded<\/i><\/p>\n

    Figure 6 shows the kind of information STVC shows. Namely:<\/p>\n