Better error message for AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user

[davhdavh]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user is incrediable annoying because it gives you very little actual information about what is going on...

A VERY common issue is that someone put .UseAntiforgery() before .UseAuth..., and it would be really if the error message could catch this very common case.

Describe the solution you'd like

aspnetcore/src/Antiforgery/src/Internal/DefaultAntiforgeryTokenGenerator.cs

Line 161 in 58c3b48

if (!comparer.Equals(requestToken.Username, currentUsername))

should report a different error if httpContext.User.IsAuthenticated == false, example AntiforgeryValidationException: The provided antiforgery token was meant for an authenticated user, but current user is not authenticated. Did you put .UseAntiforgery() after .UseAuthentication()?.

Additional context

No response

[MackinnonBuck]

Seems like a good idea. I wonder if we can add that detail in the AntiforgeryMiddleware by catching and re-throwing with a more detailed exception message.

[dotnet-policy-service]

Looks like this issue has been identified as a candidate for community contribution. If you're considering sending a PR for this issue, look for the Summary Comment link in the issue description. That comment has been left by an engineer on our team to help you get started with handling this issue. You can learn more about our Help Wanted process here