Port serialization for BootstrapContext. Make sure to increment TicketSerializer.FormatVersion.

[kevinchalet]

Recent changes made in Katana to support BootstrapContext have not been ported yet to vNext. When porting them, make sure to increment TicketSerializer.FormatVersion to avoid this kind of issue: https://katanaproject.codeplex.com/workitem/347

Associated topic: https://katanaproject.codeplex.com/discussions/566815

Symptoms: tickets (and by extension, cookies) created by Katana 2.1 are not correctly deserialized under Katana 3 and lack the AuthenticationProperties element. This causes critical properties like IssuedUtc or ExpiresUtc to be absent from the final ticket. As a result, non-persistent cookies never expire.

Root cause: when Brent Schmaltz added BootstrapContext support in TicketSerializer (https://katanaproject.codeplex.com/SourceControl/changeset/87f2be297e5b24cbbc2627cc5cac2ded41ddf822), he forgot to increment the version number to make sure tickets serialized before this change were ignored.

Explanation: when TicketSerializer tries to read old tickets, the new reader.ReadInt32() call inserted in TicketSerializer.Read makes the binary serializer going further than expected by trying to read an element that was not present in the serialized payload. Next line, when PropertiesSerializer.Read is called to deserialize the AuthenticationProperties, BinaryReader fails to read the correct version number associated with PropertiesSerializer, which causes the ticket to be returned without its AuthenticationProperties companion.

Solution: increment TicketSerializer.FormatVersion to make sure TicketSerializer won't try to deserialize incompatible tickets. This change will make every existing ticket/cookie unreadable. As a consequence, users would have to re-authenticate. In the meantime, end devs can implement their own TicketSerializer and fix this issue by incrementing the version number.

[Tratcher]

Also this SHA: 59889201ec2ab3178021273ae2d8692ea52fe3f5

[Tratcher]

Blocked waiting on System.IdentityModel for BootstrapContext. @brentschmaltz, will this still be needed in vNext?

[brentschmaltz]

Yes we need BootstrapContext in vNext

[Eilon]

We think the type is now available on Core CLR, so we should be able to do this now.

[Eilon]

@Tratcher can you check if the APIs we need are there? If not, we'll have to ping some folks.

[Tratcher]

@brentschmaltz What package is the BootstrapContext type available in for CoreCLR?

[kevinchalet]

BootstrapContext no longer exists.

JwtSecurityTokenHandler sets ClaimsIdentity.BootstrapContext with the serialized token (as a string).