Access to IOwinContext in RPC

[cata]

Background: we are using OpenId Connect OWIN middleware, specifically Microsoft.Owin.Security.OpenIdConnect

The middleware takes care of all authentication concerns , including cookie lifetime (such as sliding expiration, etc.). Additionally, the middleware sets the IOwinContext.Authentication.User - allowing the retrieval of claim-based information about the current user identity. The information represented by these claims can be extensive and, quite often, application-specific.

Currently, the WebSharper.Owin middleware is tied to Forms authentication and the OWIN context is not made available to the RPC functions. More so, it alters the value of IOwinContext.Authentication.User based on assumptions about the authentication mechanism being used (Forms authentication).

Would you be open to changing the RemotingMiddleware implementation (or adding an alternate implementation) so that it allows the (unaltered) OWIN Context /environment to be retrieved within the RPC functions?

I would be happy to attempt a PR. Let me know what constraints I should work within - note that I am only interested in the RPC functionality and have not used Sitelets at all (the whole UI is based on UI.Next). I don't want to break anything, but I really need the information in that OWIN context.

[Tarmil]

What we have been considering for such purposes is adding a member of type IDictionary<string, obj> to Web.IContext to allow the various host implementations to pass host-specific data. The ASP.NET module would use it to pass the HttpContext, and the OWIN middleware would pass the IOwinContext.

[cata]

Thanks @Tarmil !

That would work just fine :-) I am currently under a wee bit of good old time pressure, but I can add the required functionality next weekend.

Also, I guess the RemotingMiddleware should not be performing authentication-related tasks (or modify the OWIN context's user). This being said, I have not looked in detail at how authentication/authorization is handled in WebSharper, so I'm not comfortable making those changes.

[Tarmil]

Yes, if we provide access to the host-specific machinery then IContext.UserSession should not do anything until one of its methods is called. For the OwinCookieUserSession this means moving the do try refresh ... block out of the constructor and make it be called at most once by GetLoggedInUser(). Authentication is strictly confined to IContext.UserSession, so there should be nothing else to worry about.

[cata]

Sounds good :+1: - I'll give it a look during the weekend