[Upgrade to .Net7] SecurityStampValidator<TUser>
forces signout of TwoFactorRememberMeScheme
which leads to InvalidOperationException in case scheme is not registered
#47368
Labels
area-identity
Includes: Identity and providers
bug
This issue describes a behavior which is not expected - a bug.
cost: XS
Will take up to half a day to complete
Pillar: Technical Debt
triaged
Milestone
Is there an existing issue for this?
Describe the bug
Hi, in my project I'm relaying on
AddIdentityCore
followed by checrrypicked registrations likeAddSignInManager
and etc. It allows me to setup minimal Identity for my project. I do not want roles nor I do not want default authentication schemes.Till now I have not yet invested in MFA or 2FA as most of users of this product are authenticated through external authentication scheme (which supports MFA).
So I have custom authentication schemes. (OpenIdConnect, Cookie and External for SSO). However I do not have
TwoFactorRememberMeScheme
as I do not use it. I've tried to bump my project to .NET7 from .NET6. However it turns out that in .NET7 defaultSecurityStampValidator<TUser>
is forcing sign-out ofTwoFactorRememberMeScheme
scheme.This ends with InvalidOperationException as there is no handler registered for that scheme. Check: https://github.com/dotnet/aspnetcore/blob/main/src/Identity/Core/src/SecurityStampValidator.cs#L137
Expected Behavior
Since you allow minimal setup as
AddIdentityCore
is public and not obsolete than perhaps you should not enforce some hard-coded scheme sign-out. in default implementation ofSecurityStampValidator
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
7.0.201
Anything else?
No response
The text was updated successfully, but these errors were encountered: