You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In 1.0.0 we fixed an infinite redirect issue with all remote authentication middleware (Google/Facebook/OIDC, etc) by changing the behavior of Authenticate for these middleware to forward to the auth middleware specified in SignInScheme (typically a cookie middleware). This caused a regression in identity/template challenge scenarios whenever an external cookie already exists from a previous login attempt (for example, when a user starts an external login flow and then cancels, clicks back, or some error happens).
Previously, the presence of an old external cookie would not affect the flow, but now the external cookie will block logins and result in Forbidden/Access Denied responses.
As a result, the external cookie needs to be cleared at the start of the login flow.
Summary:
In 1.0.0 we fixed an infinite redirect issue with all remote authentication middleware (Google/Facebook/OIDC, etc) by changing the behavior of Authenticate for these middleware to forward to the auth middleware specified in
SignInScheme
(typically a cookie middleware). This caused a regression in identity/template challenge scenarios whenever an external cookie already exists from a previous login attempt (for example, when a user starts an external login flow and then cancels, clicks back, or some error happens).The root cause is related to how Challenge behavior changes based on whether
Authenticate
returns something. If it does, Challenge becomes aForbidden
, otherwise it becomes anUnauthorized
(see https://github.com/aspnet/Security/blob/d291bb7c249ae989ea848c8ff378186ae42606d1/src/Microsoft.AspNetCore.Authentication/AuthenticationHandler.cs#L338).Previously, the presence of an old external cookie would not affect the flow, but now the external cookie will block logins and result in Forbidden/Access Denied responses.
As a result, the external cookie needs to be cleared at the start of the login flow.
Related issues:
Infinite redirect issues:
aspnet/Security#667
aspnet/Security#801
Resulting external login flow issue:
aspnet/Identity#915
Template fix:
aspnet/Templates@306fbc6
The text was updated successfully, but these errors were encountered: