Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider making SignInAsync throw for an unauthenticated identity #9255

Closed
rynowak opened this issue Apr 10, 2019 · 9 comments · Fixed by #9482
Closed

Consider making SignInAsync throw for an unauthenticated identity #9255

rynowak opened this issue Apr 10, 2019 · 9 comments · Fixed by #9482
Assignees
@HaoK
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer breaking-change This issue / pr will introduce a breaking change, when resolved / merged. Done This issue has been fixed
Milestone
3.0.0-preview6

Comments

@rynowak
Copy link
Member

rynowak commented Apr 10, 2019

Yeah, I'll admit it. 😢 I burned 1.5 hours trying to use this API and not knowing why it didn't work.

The difference here is between:

var identity = new ClaimsIdentity(new[] { new Claim("ClaimA", "Value") });
await HttpContext.SignInAsync(scheme: null, new ClaimsPrincipal(identity));
var identity = new ClaimsIdentity(new[] { new Claim("ClaimA", "Value") }, CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(scheme: null, new ClaimsPrincipal(identity));

The shorter overload of ClaimsIdentity does the wrong thing for most cases. I'm also not sure if we should be validating whether scheme and the authentication scheme passed to SignInAsync should match.

Since there are use cases for SignInAsync with an unauthenticated identity, consider adding more parameters, or using a different method name for that case. Both of these can communicate that you're doing something non-default.

/cc @HaoK @blowdart
@rynowak rynowak added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Apr 10, 2019
@blowdart
Copy link
Contributor

This does bite the unwary, especially the principal that isn't signed in.

Extra validation wouldn't hurt, with an opt-out for people that have valid reasons for not creating an authenticated principal.

Also tagging @Tratcher

@Tratcher
Copy link
Member

What happens to the unauthenticated identity? Does it round trip the empty auth type and IsAuthenticated fails on the next request? That's an easy check to add in CookieAuth.

What's the scenario for using SignInAsync with unauthenticated identities?

Note we explicitly do not require the auth types to match, that's why they're separate fields. There was too much confusion when you'd take an OAuth identity, sign in as cookies, etc..

@rynowak
Copy link
Member Author

rynowak commented Apr 10, 2019

What happens to the unauthenticated identity? Does it round trip the empty auth type and IsAuthenticated fails on the next request? That's an easy check to add in CookieAuth.

Yes, this is what I saw.

What's the scenario for using SignInAsync with unauthenticated identities?

@blowdart said this is used when people do things like associate a user with an IP address. He can probably provide more detail than I could.

@blowdart
Copy link
Contributor

Well i was stretching. I'm sure someone, somewhere does this, and we'll break them without a way to turn the fix off.

@Tratcher
Copy link
Member

Sure, but we're just asking them to set the auth type field. They can set to anything they want, and it would only checked in CookieAuth.

@HaoK
Copy link
Member

HaoK commented Apr 10, 2019 via email

@Eilon Eilon added the breaking-change This issue / pr will introduce a breaking change, when resolved / merged. label Apr 11, 2019
@Eilon Eilon added this to the 3.0.0-preview5 milestone Apr 11, 2019
@HaoK HaoK mentioned this issue Apr 17, 2019
Merged
@Eilon Eilon modified the milestones: 3.0.0-preview5, 3.0.0-preview6 Apr 26, 2019
@HaoK HaoK added the Done This issue has been fixed label May 31, 2019
@HaoK HaoK mentioned this issue May 31, 2019
Closed
@HaoK
Copy link
Member

HaoK commented May 31, 2019

Announcement for breaking change posted here: #10718

@HaoK HaoK mentioned this issue Jun 1, 2019
Open
@HaoK
Copy link
Member

HaoK commented Jun 1, 2019

Created announcement in the right place this time aspnet/Announcements#361

@poke
Copy link
Contributor

poke commented Jun 1, 2019

This has bitten me in the past too, so thank you for this change! The authentication type is just too invisible for this (and it is somewhat cryptic that this is what IsAuthenticated requires).

@ghost ghost locked as resolved and limited conversation to collaborators Dec 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@HaoK HaoK

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer breaking-change This issue / pr will introduce a breaking change, when resolved / merged. Done This issue has been fixed
Projects
None yet
Milestone
3.0.0-preview6
Development

Successfully merging a pull request may close this issue.

Require ClaimsPrincipal.Identity.IsAuthenticated for SignIn by default dotnet/aspnetcore
6 participants
@poke @Eilon @blowdart @rynowak @Tratcher @HaoK