Add description on what cookies are used and what they do

[PeterOrneholm]

Is your feature request related to a problem? Please describe.
In EU, "the cookie law" requires you to show info on what cookies you store and for what reason. We lack such documentation today and it makes it difficult to explain to the end user what cookies we store and for what reason.

What area is it related to
This relates to the packages that might store cookies, and they are:

• ActiveLogin.Authentication.BankId.AspNetCore
• ActiveLogin.Authentication.GrandId.AspNetCore

Describe the solution you'd like
Write documentation on the cookies used in Readme.md, and also a short notice in code.

Additional context
In Active Login the only cookie we store, is a cookie containing the AuthenticationProperties, containing things like RedirectUri. But AuthenticationProperties also has a property bag where the user can set their own things, so could contain any kind of data depending on how it's used.

The AuthenticationProperties is set in the consuming code when doing the challenge, and a sample can be found in AccountController.cs:

public IActionResult ExternalLogin(string provider, string returnUrl)
{
    var props = new AuthenticationProperties
    {
        RedirectUri = Url.Action(nameof(ExternalLoginCallback)),
        Items =
        {
            {"returnUrl", returnUrl},
            {"scheme", provider}
        }
    };

    return Challenge(props, provider);
}

We have followed the convention that Microsoft uses themselves, and stores the AuthenticationProperties in a state cookie. The name of them are by default this, but can be overridden.

• __ActiveLogin.BankIdState
• __ActiveLogin.GrandIdState

Look at (for example) the implementation for Twitter auth done by Microsoft to see where we got our inspiration. There seems to be little or no documentation on the exact approach here, only source code.

Note, in addition ASP.NET Core Auth might issue cookies themselves, depending on how you configure your pipeline. But that's outside the scope of Active Login.

[viktorvan]

I’m not an expert on the cookie law, or how we use them in this library, but do we not fall under this category (my emphasis):

Examples of cookies that generally do NOT require consent:

• User input cookies, for the duration of a session
• Authentication cookies, for the duration of a session
• User-centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
• Multimedia content player session cookies, such as flash player cookies, for the duration of a session
• Load balancing session cookies and other technical cookies, for the duration of session
• User interface customisation cookies, for a browser session or a few hours, when additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

From: https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

If the user chooses to use AuthenticationProperties to store sensitive data, then they are the ones that need to deal with the cookie law I would assume?

Maybe it’s good practice to implement this anyway, but I am not sure we have to. How are similar libraries dealing with this, e.g. IdentityServer?

[PeterOrneholm]

Great finding @viktorvan!

The intention was not to display any message to the user, rather explain what our cookies do for developers, so they can decide whether or not they need to tell the users about it.

We had a developer asking about this info.

Very good that auth cookies seems to be an exception to the EU thing.