SignInManager.RefreshSignInAsync(inputuser) signs in current user instead of refreshing inputuser

[Andrioden]

Environment:

• ASP.Net Core 2.1
• Identity with EF

By my understanding RefreshSignInAsync can be used to refresh roles for an user after you have given it new roles. However, when I do, all it does is log the CURRENT_USER user in as the CHANGING_USER user.

Here is a simplified, but still bugging version of the code, with comments of debugging state

private readonly SignInManager<User> _signInManager;

public EditModel(SignInManager<User> signInManager)
{
    _signInManager = signInManager;
}

public async Task<IActionResult> OnPostAsync()
{
    //Debugging shows that the User.Identity.Name shows CURRENT_USER data.

    User changingUser = await _userManager.FindByIdAsync(InputUser.Id);
    // Debugging shows that changingUser shows CHANGING_USER data

    await _signInManager.RefreshSignInAsync(changingUser);
    return RedirectToPage("./Index");
}

On the redirect request I again check the debugging state to se which user data is present, and here the CHANGED_USER is now "logged in"

public async Task OnGetAsync()
{
    //Debugging shows that the User.Identity.Name now wrongly shows CHANGING_USER data.
}

The same happens with SignInManager.SignInAsync(dbUser, false, null); UserManager.UpdateSecurityStampAsync(dbUser);

Have I

1. Missunderstood RefreshSignInAsync/SignInAsync?
2. Or is this a straight up bug that happens for everyone?
3. Or do I have to provide more contextual information because its a specific problem with my project. If so, what can influence something this?

[HaoK]

Sounds like you are misunderstanding how these work, Both SignIn/Refresh typically result in the user you pass in being the User.Identitiy.Name. Refresh sign in just carries over the authentication mode claim from the currently signed in user. And then signs in the user you pass in.

[Andrioden]

@HaoK : Hmm. Are you sure? Why do the RefreshSignInAsync() method take an ApplicationUser input parameter then? If it just uses the User.Identitiy.Name anyway?

[HaoK]

its the same thing as sign in basically, see https://github.com/aspnet/Identity/blob/dev/src/Identity/SignInManager.cs#L164

[Andrioden]

Hmm, I am sorry to be pushing this, but I am not convinced @HaoK : "The user to sign-in." and where the user derived princal.

• The input user is documented in your code as the user that is being signed in.
• Yes, it seems like some auth claim is also used further down the stack. I cant reach the final code that actual checks in, but I assume the Context.SignInAsync uses the current HttpContext or current auth to (wrongly?) sign in current user and not input user. Is this intended? Still not convinced due to the Input user and the method comment, which indicate that your intent of SignInAsync is to sign in input user.

[HaoK]

It doesn't, it uses the claims principal you pass it

[Andrioden]

Ok. I give up. You dont take your time to address

• Why it accepts a TUser object
• Why it is documented like it is <param name="user">The user to sign-in.</param> ref

I have figured out a workaround for this lacking functionality, feel free to close the question.