Update the ASP.NET Core/OWIN hosts to support returning authentication properties for errored requests

1 year ago · 878569cd3f
11 changed files with 183 additions and 55 deletions
--- a/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs
@ -201,7 +201,7 @@ public class Startup
                    ClientId = "mvc",
                    ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
                    ClientType = ClientTypes.Confidential,
-                    ConsentType = ConsentTypes.Explicit,
+                    ConsentType = ConsentTypes.Systematic,
                    DisplayName = "MVC client application",
                    RedirectUris =
                    {
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Worker.cs
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Worker.cs
@ -152,7 +152,7 @@ public class Worker : IHostedService
                    ClientId = "mvc",
                    ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
                    ClientType = ClientTypes.Confidential,
-                    ConsentType = ConsentTypes.Explicit,
+                    ConsentType = ConsentTypes.Systematic,
                    DisplayName = "MVC client application",
                    DisplayNames =
                    {
--- a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
+++ b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
@ -156,17 +156,24 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
                return AuthenticateResult.NoResult();
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;

            return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
        }

        else
+        {
+            var properties = CreateAuthenticationProperties();
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                context.MergedPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictClientAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties()
        {
            var properties = new AuthenticationProperties
            {
@ -336,9 +343,7 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
                properties.SetParameter(Properties.UserInfoTokenPrincipal, context.UserInfoTokenPrincipal);
            }

-            return AuthenticateResult.Success(new AuthenticationTicket(
-                context.MergedPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictClientAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
        }
    }

--- a/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs
+++ b/src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs
@ -155,17 +155,22 @@ public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddi
                return null;
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;

-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
        }

        else
+        {
+            var properties = CreateAuthenticationProperties();
+
+            return new AuthenticationTicket(context.MergedPrincipal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties()
        {
            var properties = new AuthenticationProperties
            {
@ -240,7 +245,7 @@ public sealed class OpenIddictClientOwinHandler : AuthenticationHandler<OpenIddi
                properties.Dictionary[Tokens.UserInfoToken] = context.UserInfoToken;
            }

-            return new AuthenticationTicket(context.MergedPrincipal?.Identity as ClaimsIdentity, properties);
+            return properties;
        }
    }

--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs
@ -156,12 +156,10 @@ public sealed class OpenIddictServerAspNetCoreHandler : AuthenticationHandler<Op
                return AuthenticateResult.NoResult();
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;

            return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
        }
@ -199,6 +197,15 @@ public sealed class OpenIddictServerAspNetCoreHandler : AuthenticationHandler<Op
                _ => null
            };

+            var properties = CreateAuthenticationProperties(principal);
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
            var properties = new AuthenticationProperties
            {
                ExpiresUtc = principal?.GetExpirationDate(),
@ -325,9 +332,7 @@ public sealed class OpenIddictServerAspNetCoreHandler : AuthenticationHandler<Op
                properties.StoreTokens(tokens);
            }

-            return AuthenticateResult.Success(new AuthenticationTicket(
-                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
        }
    }

--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandler.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandler.cs
@ -151,14 +151,12 @@ public sealed class OpenIddictServerOwinHandler : AuthenticationHandler<OpenIddi
                return null;
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;

-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
        }

        else
@ -191,6 +189,13 @@ public sealed class OpenIddictServerOwinHandler : AuthenticationHandler<OpenIddi
                _ => null
            };

+            var properties = CreateAuthenticationProperties(principal);
+
+            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
            var properties = new AuthenticationProperties
            {
                ExpiresUtc = principal?.GetExpirationDate(),
@ -240,7 +245,7 @@ public sealed class OpenIddictServerOwinHandler : AuthenticationHandler<OpenIddi
                properties.Dictionary[Tokens.UserCode] = context.UserCode;
            }

-            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity, properties);
+            return properties;
        }
    }

--- a/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs
+++ b/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs
@ -154,12 +154,10 @@ public sealed class OpenIddictValidationAspNetCoreHandler : AuthenticationHandle
                return AuthenticateResult.NoResult();
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;

            return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
        }
@ -177,6 +175,15 @@ public sealed class OpenIddictValidationAspNetCoreHandler : AuthenticationHandle
                _ => null
            };

+            var properties = CreateAuthenticationProperties(principal);
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
            var properties = new AuthenticationProperties
            {
                ExpiresUtc = principal?.GetExpirationDate(),
@ -208,9 +215,7 @@ public sealed class OpenIddictValidationAspNetCoreHandler : AuthenticationHandle
                properties.StoreTokens(tokens);
            }

-            return AuthenticateResult.Success(new AuthenticationTicket(
-                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
        }
    }

--- a/src/OpenIddict.Validation.Owin/OpenIddictValidationOwinHandler.cs
+++ b/src/OpenIddict.Validation.Owin/OpenIddictValidationOwinHandler.cs
@ -150,14 +150,12 @@ public sealed class OpenIddictValidationOwinHandler : AuthenticationHandler<Open
                return null;
            }

-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;

-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
        }

        else
@ -170,6 +168,13 @@ public sealed class OpenIddictValidationOwinHandler : AuthenticationHandler<Open
                _ => null
            };

+            var properties = CreateAuthenticationProperties(principal);
+
+            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
            var properties = new AuthenticationProperties
            {
                ExpiresUtc = principal?.GetExpirationDate(),
@ -184,7 +189,7 @@ public sealed class OpenIddictValidationOwinHandler : AuthenticationHandler<Open
                properties.Dictionary[TokenTypeHints.AccessToken] = context.AccessToken;
            }

-            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity, properties);
+            return properties;
        }
    }

--- a/test/OpenIddict.Server.AspNetCore.IntegrationTests/OpenIddictServerAspNetCoreIntegrationTests.cs
+++ b/test/OpenIddict.Server.AspNetCore.IntegrationTests/OpenIddictServerAspNetCoreIntegrationTests.cs
@ -18,6 +18,7 @@ using OpenIddict.Server.IntegrationTests;
 using Xunit;
 using Xunit.Abstractions;
 using static OpenIddict.Server.OpenIddictServerEvents;
+using static OpenIddict.Server.OpenIddictServerHandlers;
 using static OpenIddict.Server.OpenIddictServerHandlers.Protection;

 #if SUPPORTS_JSON_NODES
@ -134,6 +135,54 @@ public partial class OpenIddictServerAspNetCoreIntegrationTests : OpenIddictServ
        Assert.Equal(new DateTimeOffset(2120, 01, 01, 00, 00, 00, TimeSpan.Zero), properties.ExpiresUtc);
    }

+    [Fact]
+    public async Task ProcessAuthentication_CustomPropertiesAreAddedForErroredAuthenticationResults()
+    {
+        // Arrange
+        await using var server = await CreateServerAsync(options =>
+        {
+            options.EnableDegradedMode();
+            options.SetAuthorizationEndpointUris("/authenticate/properties");
+
+            options.UseAspNetCore()
+                   .EnableErrorPassthrough()
+                   .EnableAuthorizationEndpointPassthrough();
+
+            options.AddEventHandler<ProcessAuthenticationContext>(builder =>
+            {
+                builder.UseInlineHandler(context =>
+                {
+                    context.RejectIdentityToken = true;
+
+                    context.Properties["custom_property"] = "value";
+
+                    return default;
+                });
+
+                builder.SetOrder(EvaluateValidatedTokens.Descriptor.Order + 1);
+            });
+        });
+
+        await using var client = await server.CreateClientAsync();
+
+        // Act
+        var response = await client.PostAsync("/authenticate/properties", new OpenIddictRequest
+        {
+            ClientId = "Fabrikam",
+            IdTokenHint = "id_token_hint",
+            Nonce = "n-0S6_WzA2Mj",
+            RedirectUri = "http://www.fabrikam.com/path",
+            ResponseType = "id_token",
+            Scope = Scopes.OpenId
+        });
+
+        // Assert
+        var properties = new AuthenticationProperties(response.GetParameters()
+            .ToDictionary(parameter => parameter.Key, parameter => (string?) parameter.Value));
+
+        Assert.Equal("value", properties.Items["custom_property"]);
+    }
+
    [Fact]
    public async Task ProcessChallenge_ImportsAuthenticationProperties()
    {
--- a/test/OpenIddict.Server.Owin.IntegrationTests/OpenIddictServerOwinIntegrationTests.cs
+++ b/test/OpenIddict.Server.Owin.IntegrationTests/OpenIddictServerOwinIntegrationTests.cs
@ -16,6 +16,7 @@ using Owin;
 using Xunit;
 using Xunit.Abstractions;
 using static OpenIddict.Server.OpenIddictServerEvents;
+using static OpenIddict.Server.OpenIddictServerHandlers;
 using static OpenIddict.Server.OpenIddictServerHandlers.Protection;

 namespace OpenIddict.Server.Owin.IntegrationTests;
@ -128,6 +129,54 @@ public partial class OpenIddictServerOwinIntegrationTests : OpenIddictServerInte
        Assert.Equal(new DateTimeOffset(2120, 01, 01, 00, 00, 00, TimeSpan.Zero), properties.ExpiresUtc);
    }

+    [Fact]
+    public async Task ProcessAuthentication_CustomPropertiesAreAddedForErroredAuthenticationResults()
+    {
+        // Arrange
+        await using var server = await CreateServerAsync(options =>
+        {
+            options.EnableDegradedMode();
+            options.SetAuthorizationEndpointUris("/authenticate/properties");
+
+            options.UseOwin()
+                   .EnableErrorPassthrough()
+                   .EnableAuthorizationEndpointPassthrough();
+
+            options.AddEventHandler<ProcessAuthenticationContext>(builder =>
+            {
+                builder.UseInlineHandler(context =>
+                {
+                    context.RejectIdentityToken = true;
+
+                    context.Properties["custom_property"] = "value";
+
+                    return default;
+                });
+
+                builder.SetOrder(EvaluateValidatedTokens.Descriptor.Order + 1);
+            });
+        });
+
+        await using var client = await server.CreateClientAsync();
+
+        // Act
+        var response = await client.PostAsync("/authenticate/properties", new OpenIddictRequest
+        {
+            ClientId = "Fabrikam",
+            IdTokenHint = "id_token_hint",
+            Nonce = "n-0S6_WzA2Mj",
+            RedirectUri = "http://www.fabrikam.com/path",
+            ResponseType = "id_token",
+            Scope = Scopes.OpenId
+        });
+
+        // Assert
+        var properties = new AuthenticationProperties(response.GetParameters()
+            .ToDictionary(parameter => parameter.Key, parameter => (string?) parameter.Value));
+
+        Assert.Equal("value", properties.Dictionary["custom_property"]);
+    }
+
    [Fact]
    public async Task ProcessChallenge_ImportsAuthenticationProperties()
    {
@ -642,7 +691,7 @@ public partial class OpenIddictServerOwinIntegrationTests : OpenIddictServerInte
                else if (context.Request.Path == new PathString("/authenticate"))
                {
                    var result = await context.Authentication.AuthenticateAsync(OpenIddictServerOwinDefaults.AuthenticationType);
-                    if (result?.Identity is null)
+                    if (result?.Identity is not { IsAuthenticated: true })
                    {
                        return;
                    }
--- a/test/OpenIddict.Validation.Owin.IntegrationTests/OpenIddictValidationOwinIntegrationTests.cs
+++ b/test/OpenIddict.Validation.Owin.IntegrationTests/OpenIddictValidationOwinIntegrationTests.cs
@ -162,7 +162,7 @@ public partial class OpenIddictValidationOwinIntegrationTests : OpenIddictValida
                if (context.Request.Path == new PathString("/authenticate"))
                {
                    var result = await context.Authentication.AuthenticateAsync(OpenIddictValidationOwinDefaults.AuthenticationType);
-                    if (result?.Identity is null)
+                    if (result?.Identity is not { IsAuthenticated: true })
                    {
                        context.Authentication.Challenge(OpenIddictValidationOwinDefaults.AuthenticationType);
                        return;