VS2013 MVC 5 template: Is it wrong to use Session to save Claims from ExternalLoginCallback to ExternalLoginConfirmation

Question

In AccountController.cs I made a modification following Hongye Sun's code so that the external Claims are exposed.

public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
        {
            var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie); 
            //  ...
             Session["ClaimsIdentity"] = result.Identity; // 

Note I put the ClaimsIdentity in Session because that's the only way I know to make the Claims available when I create the user in

 public async Task<ActionResult> ExternalLoginConfirmation(ExternalLoginConfirmationViewModel model, string returnUrl)
    {
            // ... 
            var result = await UserManager.CreateAsync(user);
            if (result.Succeeded)
            {
                result = await UserManager.AddLoginAsync(user.Id, info.Login);

                if (result.Succeeded)
                {
                    ClaimsIdentity id = (ClaimsIdentity)Session["Identity"];
                     // then for each Claim claim in id ....
                     result = await UserManager.AddClaimAsync(user.Id, claim));

The effect of this code is that the external Claims are stored in the DB in the AspNetUserClaims table, as desired. E.g. this is handy for storing the email from the external login claim without explicitly asking the user for the email.

My question: Is there a better way to do this?

Is it better to use: System.Web.HttpContext.Current.Cache

Answer 1

So you can directly retrieve the identity again as its stored in a cookie actually, you can do this by calling the same result.Identity code in the Confirmation Action, you don't need to stick it into Session at all:

var result = await AuthenticationManager.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie);