Add interface to validate incoming identity

[brockallen]

To be used from the CookieAuthenticationProvider on our main cookie middleware to reject incoming cookie.

[brockallen]

Would it be acceptable to use the user service's IsActiveAsync for this? Or does that conflate it too much?

// @leastprivilege @snothub

[brockallen]

Actually, I think I've already come to a conclusion -- this is conflating IsActive, which is supposed to mean "is user allowed to get tokens at all", which is different than "is the current authentication session valid". The latter seems to be what the semantics of this feature should be.

[snothub]

Completely agree with the last one.

søn. 17. jan. 2016, 22.51 skrev Brock Allen notifications@github.com:

Actually, I think I've already come to a conclusion -- this is conflating
IsActive, which is supposed to mean "is user allowed to get tokens at
all", which is different than "is the current authentication session
valid". The latter seems to be what the semantics of this feature should be.

—
Reply to this email directly or view it on GitHub
#2148 (comment)
.

[brockallen]

Added IAuthenticationSessionValidator to the identity server services factory on dev branch.

[leastprivilege]

also open a doc issue.

[snothub]

So how is this supposed to work then? When will this code hit and should I be looking for (or set) any specific claim in the principle?

[brockallen]

When you validate the user's identity in the user service you can emit any claims you want into the cookie for IdSvr. These claims will be present in this check. You so whatever you want in this API to say yes or no.

[snothub]

Awesome!