Add AuthenticationProperties to AuthenticateResult for failures.

[Tratcher]

aspnet/Security#1188
See the matching Security PR.

@HaoK how crazy is this? I know you just finished cleaning these up.

[HaoK]

Bleh why don't you create a real first class AuthenticationError class with the things you want, that can contain a Properties if you want, but not just a top level properties

[Tratcher]

How's this?

[HaoK]

Do we really need properties, or just a dictionary bag? Or are we storing original properties?

[davidfowl]

Will both of these ever be set?

[HaoK]

Ugh, get rid of this fallback, I think Properties should only be Ticket.Properties, make them go Error.Properties if they want the error ones.

[HaoK]

Or we should just get rid of this property since there's potentially two Properties now

[davidfowl]

Yea, this looks like a disaster waiting to happen.

[Tratcher]

There will never be both a Ticket and an Error, and the Properties collection is actually the same either way.

[HaoK]

Then maybe instead of an Error property, we should have ErrorResult derive from AuthenticateResult, have Ticket return null, Properties return the error properties.

[HaoK]

So basically instead of a new standalone AuthenticationError class, have an ErrorResult : AuthenticateResult instead which sets the Result up properly (no ticket, properties only)

[Tratcher]

The AuthError gives me a mechanic to solve the next problem (#1178) flowing error details.

[HaoK]

Sure but the Error is just an exception + properties, can't you do the same with an ErrorResult (which also has Failure exception + Properties)? Where's the relevant code in the associated PR today?

[Tratcher]

In this case it's the original auth properties from the user's challenge.

[Tratcher]

bump rebased and revived for 2.1. We now have to be more careful that the changes are strictly additive.

[HaoK]

I think I'd prefer we added something like a generic bag to AuthenticateResult:

   public Dictionary<string, object> CustomData { get } = new Dictionary<string, object>();

And then just have Security/RemoteAuthHandler put whatever it needs into the CustomData to flow the extra error info you need. AuthenticateError looks way too similar to AuthenticateResult...

[Tratcher]

AuthProperties aren't custom data, they're auth flow state that we surface for success but not for failures.

Your suggestion applies more to aspnet/Security#1178 (comment) than the current issue.

[HaoK]

There's already a Properties on AuthenticateResult

[HaoK]

Why can't security just manufacture an error AuthenticateResult with the correct Properties inside?

[HaoK]

Basically instead of adding an Error, just add a new _errorProperties field to use here, and return that instead of _Error.Properties

[HaoK]

Actually scratch that, I'd just leave Properties to mean Ticket.Properties, and add a new FailureProperties so its clear they aren't the same thing...no confusing fallback

[Tratcher]

They are the same properties. We just don't have a way to surface them for failure scenarios.

[HaoK]

A field can still work, just copy the properties into the field in both Success and Failure instead of calling through to the Ticket/Error.

My main pushback is AuthenticateResult is already meant to handle errors. We don't need another AuthenticationError class

[Tratcher]

AuthenticateResult.Properties requires an AuthTicket, which requires a ClaimsPrincipal.

[Tratcher]

Updated, this version's a little simpler.

[HaoK]

Much better :)