Add a way to overwrite query arguments that are passed as part of the
challenge request to the external authentication provider in OAuth-based
authentication providers, including OpenID Connect.
This uses the new `AuthenticationProperties.Parameters` collection to
pass parameters to the authentication handler which will then look for
special items within that property bag, overwriting previously
configured values within the authentication options.
This can be used for example to overwrite the OAuth scopes that are
requested from an authentication provider, or to explicitly trigger a
reauthentication by requiring a login prompt with OpenID Connect. By
being able to specify this on individual challenge requests (using
`HttpContext.ChallengeAsync`), this is independent from the global
scheme configuration.
Custom ~ChallengeProperties types, e.g. `OAuthChallengeProperties` for
OAuth-based authentication providers, provide assistance in setting the
challenge request parameters but are not required to make the handlers
use the overwritten values.
- Adjust authentication handlers to respect the custom parameters, and
add ~ChallengeProperties types.
- Introduce `OAuthHandler.FormatScope(IEnumerable<string>)` to format a
custom set of scopes. Subclasses requiring a different scope format
should override this method instead of the parameterless overload.
Overriding just `FormatScope()` will prevent handlers from supporting
overwriting the OAuth `scope` in a challenge request.
- Refactor GoogleHandler to support parameterization through both the
`Parameters` and the `Items` collection (former is preferred) to keep
compatibility with the old behavior.
- Add an OpenIdConnect sample to overwrite the prompt argument in a
challenge request.
- Add extensive tests.
* VirtualScheme => PolicyScheme
* Use SignInHandler base for cookies
* PolicySchemeHandlers throw NotImplemented by default
* Remove redundant interface
#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.
_tokenValidationFailed format string includes the JWT token followed by a period, which if a dev troubleshooting copies incorrectly to the EOL will make the JWT invalid.
Current: Failed to validate the token eyJhbGc.......HCwFmw.
Proposed: Failed to validate the token eyJhbGc.......HCwFmw
- max_age parameter added to the authentication request if MaxAge is not null
- throws exception if MaxAge is set to a negative value
- Fractions of seconds are ignored
- See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for expected behavior
Addresses #1233
Devin Garner
Patrick Westerhoff
Chris Ross (ASP.NET)
Ryan Brandenburg
Hao Kung
Hao Kung
Muqeet Khan
Eilon Lipton
Dominick Baier
Nate McMaster
tstojecki
OpenIDAuthority
Josh Coulter
Gareth Brading
Chris R
Javier Calvarro Nelson
agoretsky
Anders Abel
Kiran Challa
Damir Ainullin
Brian Chavez
Poul Kjeldager Sørensen
Scott Addie
Saravanan
richstokoe