Conversation
Hi @tuespetre, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution! The agreement was validated by .NET Foundation and real humans are currently evaluating your PR. TTYL, DNFBOT; |
Notes: Moving ISystemClock to AuthenticationOptions should be OK, it was already on every child class in this repo. |
@@ -149,7 +149,7 @@ protected virtual void GenerateCorrelationId(AuthenticationProperties properties | |||
{ | |||
HttpOnly = true, | |||
Secure = Request.IsHttps, | |||
Expires = properties.ExpiresUtc | |||
Expires = Options.SystemClock.UtcNow.Add(Options.RemoteAuthenticationTimeout), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add this to TwitterHandler.HandleUnauthorizedAsync as well.
pending the update to Twitter. |
🆙📅 |
Should we consider putting the system clock in DI as a service instead of hanging them off the options? Its not like we would ever expect more than one system clock across all the different middlewares, etc right? |
Basically what I'm suggesting instead of putting the clock in AuthenticationOptions, instead add it as a property to AuthenticationMiddleware/Handler that gets injected optionally (and defaults to a new instance of SystemClock same as today)
|
We've considered moving it to a service before, but it's only used for unit tests and its easier to set in options. |
Fixes #855, which documents a bug where the
RemoteAuthenticationTimeout
(intended to be used for a correlation cookie) also ends up getting used for theExpiresUtc
value of theAuthenticationProperties
of the actual authentication ticket that gets issued.I did not see a generic set of tests for
RemoteAuthenticationHandler
so I refrained from adding a test for now.