client_list and session_id not preserved on External login

[hennadiy-kurabko]

In ExternalController.Callback we lose info about already logged in clients and session_id, was it intentionally?

It happens because new instance of properties created every time and client_list and session_id not copied from current properties.

https://github.com/IdentityServer/IdentityServer4.Quickstart.UI.AspNetIdentity/blob/main/Quickstart/Account/ExternalController.cs#L111

   var localSignInProps = new AuthenticationProperties();

The question is, was it done intentionally? Seems like copying client list will do no harm, but about session_id I not sure..

[brockallen]

This is an interesting situation. You'd need this code to do some more things:

1. is the user logged in with any client ids?
2. if so, if it the user you have located, is it the same user as was previously logged in?

in a sense, I suspect our local login page has a similar issue.

So, the real philosophical question: if a user re-enters credentials (or re-authenticated with an external login, or any combination of both), is that a new sesison?

[hennadiy-kurabko]

My thoughts.. If we have stored external sub+sid of the user on first authentication, and match it during check you mentioned above, with sub+sid arrived after re-authentication (with or without entering new credentials, as it is possible that external session is fresh and alive and we just extend it for new client) - then I assume it should be the same session.
If subs are the same, but sids are different - another session, but same user - depends on the requirements, and as for me, can be treated as the same IdS FedGw session, so just add new client to the list.
If subs are different, no matter what sids is - we have new user, and should create new session on IdS FedGw.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.