search

aspnet / AspNetKatana

Microsoft's OWIN implementation, the Katana project
Apache License 2.0
960 stars 331 forks source link

SignInAsAuthenticationType option gets ignored in OpenIdConnect middleware #472

Closed AntMaster7 closed 1 year ago

AntMaster7 commented 1 year ago

The OpenIdConnectAuthenticationOptions.SignInAsAuthenticationType property is being ignored by the OpenIdConnect middleware. In fact, its definied but not referenced anywhere in the Microsoft.Owin.Security.OpenIdConnect project. Inside the MicrosoftAccountAuthenticationHandler for example, a new ClaimsIdentity (signInIdentity) gets generated if the mentioned option is set like so:

// Inside MicrosoftAccountAuthenticationHandler.InvokeReturnPathAsync() method
if (context.SignInAsAuthenticationType != null && context.Identity != null)
{
    ClaimsIdentity signInIdentity = context.Identity;
    if (!string.Equals(signInIdentity.AuthenticationType, context.SignInAsAuthenticationType, StringComparison.Ordinal))
    {
        signInIdentity = new ClaimsIdentity(signInIdentity.Claims, context.SignInAsAuthenticationType, signInIdentity.NameClaimType, signInIdentity.RoleClaimType);
    }
    Context.Authentication.SignIn(context.Properties, signInIdentity);
}

Whereas inside the OpenIdConnectAuthenticationHandler this logic is missing and the tickets Identity gets directly applied for the SignIn call:

// Inside OpenIdConnectAuthenticationHandler.InvokeReplyPathAsync()
if (ticket.Identity != null)
{
    Request.Context.Authentication.SignIn(ticket.Properties, ticket.Identity);
}
Tratcher commented 1 year ago

It's passed through to TokenValidationParamters here: https://github.com/aspnet/AspNetKatana/blob/e55f48be5352469eaf116ba376806855ed9cf4be/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs#L250

The ClaimsIdentity is generated by a lower level library that uses this.

AntMaster7 commented 1 year ago

Thank you. Seems I overlooked the actual getters and setters. My bad.