public AntiForgeryToken GenerateFormToken(HttpContext httpContext, ClaimsIdentity identity, AntiForgeryToken cookieToken) { Debug.Assert(IsCookieTokenValid(cookieToken)); var formToken = new AntiForgeryToken() { SecurityToken = cookieToken.SecurityToken, IsSessionToken = false }; var isIdentityAuthenticated = false; // populate Username and ClaimUid if (identity != null && identity.IsAuthenticated) { isIdentityAuthenticated = true; formToken.ClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(identity)); if (formToken.ClaimUid == null) { formToken.Username = identity.Name; } } // populate AdditionalData if (_additionalDataProvider != null) { formToken.AdditionalData = _additionalDataProvider.GetAdditionalData(httpContext); } if (isIdentityAuthenticated && string.IsNullOrEmpty(formToken.Username) && formToken.ClaimUid == null && string.IsNullOrEmpty(formToken.AdditionalData)) { // Application says user is authenticated, but we have no identifier for the user. throw new InvalidOperationException( Resources.FormatTokenValidator_AuthenticatedUserWithoutUsername(identity.GetType())); } return formToken; }