Skip to content
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.

Authorize(Github) may return a Facebook user #859

Closed
Tratcher opened this issue Jun 1, 2016 · 6 comments
Closed

Authorize(Github) may return a Facebook user #859

Tratcher opened this issue Jun 1, 2016 · 6 comments
Assignees
@Tratcher
Labels
3 - Done bug
Milestone
1.1.0-preview1

Comments

@Tratcher
Copy link
Member

Tratcher commented Jun 1, 2016

https://github.com/aspnet/Security/pull/823/files/59fc691f4152e6d5017176c0b700ee9834640481#r64260972
For remote providers we implemented Authenticate to delegate to the current SignInScheme provider. However, we opted not to verify that the current identity provided by the SignInScheme provider was actually produced by the given middleware. E.g. When you have OAuth set up for Facebook and Github, they share an auth cookie, so when you Authorize(Github), if Facebook is already logged in, you get Facebook. This may be very confusing to users if there are portions of their application that require credentials from different providers. To work around this they would have to sign-out of the exiting provider, redirect, and then sign-in with the new provider.
@HaoK
Copy link
Member

HaoK commented Jun 1, 2016
edited

Just to be clear, prior to returning the SignInScheme Identity, Authenticate on any remote provider would have thrown an exception? So this is a new behavior we are defining? Seems like we can just make it clear in the doc comments what this behavior does (it really is calling Authenticate("SignInScheme")

@Tratcher
Copy link
Member Author

Tratcher commented Jun 1, 2016

It used to cause an infinite loop because Authenticate(Github) always returned null, so a new Challenge(Github) would be issued. We broke the infinite loop by having it return the current SignInScheme user.

@HaoK
Copy link
Member

HaoK commented Jun 1, 2016

Okay yeah so that infinite loop behavior is the interaction between MVC's AuthorizeFilter and RemoteHandlers always returning null. I don't think the new behavior will be too confusing since if they are sharing external cookies, they will likely not be calling the shared scheme Facebook/Google, but rather something like "External", so it would be more that you are getting the "External" identity when asking for either "Facebook"/"Google" which makes sense to me if you've configured them this way

@Tratcher
Copy link
Member Author

Tratcher commented Jun 2, 2016

We're going to start by documenting this and see if users run into issues.

Other options:

  • The app can store two identities in the cookie.

@Tratcher Tratcher added this to the 1.0.1 milestone Jun 2, 2016
@Tratcher Tratcher mentioned this issue Jul 28, 2016
Closed
@Tratcher Tratcher mentioned this issue Aug 12, 2016
Closed
@mikes-gh
Copy link
Contributor

Would it be possible to store external provider cookies by provider name

eg

Identity.Google
Identity.Facebook

Or would that require too much heavy lifting.
Apologies if this is way off.

@Tratcher
Copy link
Member Author

We can store the provider information directly in the cookie / auth properties. We don't need a separate cookie.

Tratcher added a commit that referenced this issue Sep 20, 2016
@Tratcher
#859 Discriminate between providers when sharing an auth cookie
cbd003a
@Tratcher Tratcher mentioned this issue Sep 20, 2016
Merged
Tratcher added a commit that referenced this issue Sep 21, 2016
@Tratcher
#859 Discriminate between providers when sharing an auth cookie
25f39dd
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Tratcher Tratcher

Labels
3 - Done bug
Projects
None yet
Milestone
1.1.0-preview1
Development

No branches or pull requests
4 participants
@Eilon @Tratcher @HaoK @mikes-gh