mkArtakMSFT
commented
5 months ago Thanks for contacting us. For now, you can register custom security stamp validator: https://learn.microsoft.com/dotnet/api/microsoft.aspnetcore.identity.isecuritystampvalidator?view=aspnetcore-8.0
Is there an existing issue for this?
Describe the bug
Issue #5786 addresses a similar problem but doesn't describe the situation I experience.
I have implemented a custom UserClaimsPrincipalFactory and a custom UserStore, which does not inherit from UserStoreBase. When the app attempts to authenticate a ticket older than 30 minutes, it forces SignOut. All I have to go on are the following messages in the Log
Microsoft.AspNetCore.Identity.SignInManager: Debug: Failed to validate a security stamp. Microsoft.AspNetCore.Identity.SecurityStampValidator: Debug: Security stamp validation failed, rejecting cookie.
So the first problem is that SecurityStampValidator.ValidateAsync does not check if UserManager.SupportsUserSecurityStamp is true before checking if validation is required, ie. timeElapsed > Options.ValidationInterval (which defaults to 30 minutes). In my case that would have avoided the problem, since my UserStore does not support IUserSecurityStampStore.
The second problem turns out to be that my CustomUserClaimsPrincipalFactory did not add UserIdClaim when creating the ClaimPrincipal, so SignManager.ValidateSecurityStampAsync fails since it doesn't know the Id of the user to validate. It's probably arguable whether it should revalidate the ticket if UserManager.SupportsUserSecurityStamp is true but it can't find the underlying user. It would be worth a LogWarning in this case at least.
Expected Behavior
Authentication should not be signed out for SecurityStamp if it is not supported
Add LogWarnings when a claim required by the authentication service is missing.
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
8.0.101
Anything else?
No response