ClaimsXform and RIP AutoAuthHandler

- Initial support for ClaimsTransformation
- merge automatic auth handler back into base

Author: HaoK

samples/CookieSessionSample/CookieSessionSample.xproj

@@ -12,7 +12,7 @@
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
-    <DevelopmentServerPort>22571</DevelopmentServerPort>
+    <DevelopmentServerPort>36505</DevelopmentServerPort>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>

samples/SocialSample/SocialSample.xproj

@@ -12,7 +12,7 @@
   </PropertyGroup>
   <PropertyGroup>
     <SchemaVersion>2.0</SchemaVersion>
-    <DevelopmentServerPort>22570</DevelopmentServerPort>
+    <DevelopmentServerPort>36504</DevelopmentServerPort>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\AspNet\Microsoft.Web.AspNet.targets" Condition="'$(VSToolsPath)' != ''" />
 </Project>

samples/SocialSample/Startup.cs

@@ -1,6 +1,7 @@
 using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Security.Claims;
+using System.Threading.Tasks;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.DataProtection;
 using Microsoft.AspNet.Http;
@@ -28,6 +29,13 @@ public void Configure(IApplicationBuilder app)
                 {
                     options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                 });
+                services.ConfigureClaimsTransformation(p =>
+                {
+                    var id = new ClaimsIdentity("xform");
+                    id.AddClaim(new Claim("ClaimsTransformation", "TransformAddedClaim"));
+                    p.AddIdentity(id);
+                    return p;
+                });
             });
 
             app.UseCookieAuthentication(options =>

src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs

@@ -13,7 +13,7 @@
 
 namespace Microsoft.AspNet.Authentication.Cookies
 {
-    internal class CookieAuthenticationHandler : AutomaticAuthenticationHandler<CookieAuthenticationOptions>
+    internal class CookieAuthenticationHandler : AuthenticationHandler<CookieAuthenticationOptions>
     {
         private const string HeaderNameCacheControl = "Cache-Control";
         private const string HeaderNamePragma = "Pragma";

src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationMiddleware.cs

@@ -15,11 +15,12 @@ public class CookieAuthenticationMiddleware : AuthenticationMiddleware<CookieAut
     {
         private readonly ILogger _logger;
 
-        public CookieAuthenticationMiddleware(RequestDelegate next, 
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider, 
-            ILoggerFactory loggerFactory, 
-            IOptions<CookieAuthenticationOptions> options,
+        public CookieAuthenticationMiddleware(
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<CookieAuthenticationOptions> options,
             ConfigureOptions<CookieAuthenticationOptions> configureOptions)
             : base(next, services, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationOptions.cs

@@ -11,7 +11,7 @@ namespace Microsoft.AspNet.Authentication.Cookies
     /// <summary>
     /// Contains the options used by the CookiesAuthenticationMiddleware
     /// </summary>
-    public class CookieAuthenticationOptions : AutomaticAuthenticationOptions
+    public class CookieAuthenticationOptions : AuthenticationOptions
     {
         private string _cookieName;
 
@@ -20,7 +20,6 @@ public class CookieAuthenticationOptions : AutomaticAuthenticationOptions
         /// </summary>
         public CookieAuthenticationOptions()
         {
-            AutomaticAuthentication = true;
             AuthenticationScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
             ExpireTimeSpan = TimeSpan.FromDays(14);

src/Microsoft.AspNet.Authentication.Facebook/FacebookAuthenticationMiddleware.cs

@@ -25,12 +25,12 @@ public class FacebookAuthenticationMiddleware : OAuthAuthenticationMiddleware<Fa
         /// <param name="loggerFactory"></param>
         /// <param name="options">Configuration options for the middleware.</param>
         public FacebookAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<FacebookAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<FacebookAuthenticationOptions> options,
             ConfigureOptions<FacebookAuthenticationOptions> configureOptions = null)
             : base(next, services, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.Google/GoogleAuthenticationMiddleware.cs

@@ -30,12 +30,12 @@ public class GoogleAuthenticationMiddleware : OAuthAuthenticationMiddleware<Goog
         /// <param name="loggerFactory"></param>
         /// <param name="options">Configuration options for the middleware.</param>
         public GoogleAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<GoogleAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<GoogleAuthenticationOptions> options,
             ConfigureOptions<GoogleAuthenticationOptions> configureOptions = null)
             : base(next, services, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.MicrosoftAccount/MicrosoftAccountAuthenticationMiddleware.cs

@@ -26,12 +26,12 @@ public class MicrosoftAccountAuthenticationMiddleware : OAuthAuthenticationMiddl
         /// <param name="loggerFactory"></param>
         /// <param name="options">Configuration options for the middleware.</param>
         public MicrosoftAccountAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<MicrosoftAccountAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<MicrosoftAccountAuthenticationOptions> options,
             ConfigureOptions<MicrosoftAccountAuthenticationOptions> configureOptions = null)
             : base(next, services, dataProtectionProvider, loggerFactory, externalOptions, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationHandler.cs

@@ -176,13 +176,19 @@ protected virtual async Task<AuthenticationTicket> GetUserInformationAsync(Authe
 
         protected override void ApplyResponseChallenge()
         {
+            if (ShouldConvertChallengeToForbidden())
+            {
+                Response.StatusCode = 403;
+                return;
+            }
+
             if (Response.StatusCode != 401)
             {
                 return;
             }
 
-            // Only redirect on challenges
-            if (ChallengeContext == null)
+            // When Automatic should redirect on 401 even if there wasn't an explicit challenge.
+            if (ChallengeContext == null && !Options.AutomaticAuthentication)
             {
                 return;
             }

src/Microsoft.AspNet.Authentication.OAuth/OAuthAuthenticationMiddleware.cs

@@ -31,12 +31,12 @@ public class OAuthAuthenticationMiddleware<TOptions, TNotifications> : Authentic
         /// <param name="loggerFactory"></param>
         /// <param name="options">Configuration options for the middleware.</param>
         public OAuthAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<TOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<TOptions> options,
             ConfigureOptions<TOptions> configureOptions = null)
             : base(next, services, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationHandler.cs

@@ -15,7 +15,7 @@
 
 namespace Microsoft.AspNet.Authentication.OAuthBearer
 {
-    public class OAuthBearerAuthenticationHandler : AutomaticAuthenticationHandler<OAuthBearerAuthenticationOptions>
+    public class OAuthBearerAuthenticationHandler : AuthenticationHandler<OAuthBearerAuthenticationOptions>
     {
         private readonly ILogger _logger;
         private OpenIdConnectConfiguration _configuration;
@@ -197,7 +197,7 @@ protected override async Task ApplyResponseChallengeAsync()
                 return;
             }
 
-            if ((Response.StatusCode != 401) || (ChallengeContext == null))
+            if ((Response.StatusCode != 401) || (ChallengeContext == null && !Options.AutomaticAuthentication))
             {
                 return;
             }

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationMiddleware.cs

@@ -29,10 +29,10 @@ public class OAuthBearerAuthenticationMiddleware : AuthenticationMiddleware<OAut
         /// extension method.
         /// </summary>
         public OAuthBearerAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            ILoggerFactory loggerFactory,
-            IOptions<OAuthBearerAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<OAuthBearerAuthenticationOptions> options,
             ConfigureOptions<OAuthBearerAuthenticationOptions> configureOptions)
             : base(next, services, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.OAuthBearer/OAuthBearerAuthenticationOptions.cs

@@ -13,7 +13,7 @@ namespace Microsoft.AspNet.Authentication.OAuthBearer
     /// <summary>
     /// Options class provides information needed to control Bearer Authentication middleware behavior
     /// </summary>
-    public class OAuthBearerAuthenticationOptions : AutomaticAuthenticationOptions
+    public class OAuthBearerAuthenticationOptions : AuthenticationOptions
     {
         private ICollection<ISecurityTokenValidator> _securityTokenValidators;
         private TokenValidationParameters _tokenValidationParameters;

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -35,12 +35,12 @@ public class OpenIdConnectAuthenticationMiddleware : AuthenticationMiddleware<Op
         /// <param name="options">Configuration options for the middleware</param>
         [SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "Managed by caller")]
         public OpenIdConnectAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<OpenIdConnectAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<OpenIdConnectAuthenticationOptions> options,
             ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions)
             : base(next, services, options, configureOptions)
         {

src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenidConnectAuthenticationHandler.cs

@@ -117,13 +117,19 @@ protected override void ApplyResponseChallenge()
         /// <returns></returns>
         protected override async Task ApplyResponseChallengeAsync()
         {
+            if (ShouldConvertChallengeToForbidden())
+            {
+                Response.StatusCode = 403;
+                return;
+            }
+
             if (Response.StatusCode != 401)
             {
                 return;
             }
 
-            // Only redirect on challenges
-            if (ChallengeContext == null)
+            // When Automatic should redirect on 401 even if there wasn't an explicit challenge.
+            if (ChallengeContext == null && !Options.AutomaticAuthentication)
             {
                 return;
             }

src/Microsoft.AspNet.Authentication.Twitter/TwitterAuthenticationHandler.cs

@@ -131,13 +131,19 @@ protected override void ApplyResponseChallenge()
 
         protected override async Task ApplyResponseChallengeAsync()
         {
+            if (ShouldConvertChallengeToForbidden())
+            {
+                Response.StatusCode = 403;
+                return;
+            }
+
             if (Response.StatusCode != 401)
             {
                 return;
             }
 
-            // Only redirect on challenges
-            if (ChallengeContext == null)
+            // When Automatic should redirect on 401 even if there wasn't an explicit challenge.
+            if (ChallengeContext == null && !Options.AutomaticAuthentication)
             {
                 return;
             }

src/Microsoft.AspNet.Authentication.Twitter/TwitterAuthenticationMiddleware.cs

@@ -33,12 +33,12 @@ public class TwitterAuthenticationMiddleware : AuthenticationMiddleware<TwitterA
         /// <param name="loggerFactory"></param>
         /// <param name="options">Configuration options for the middleware</param>
         public TwitterAuthenticationMiddleware(
-            RequestDelegate next,
-            IServiceProvider services,
-            IDataProtectionProvider dataProtectionProvider,
-            ILoggerFactory loggerFactory,
-            IOptions<ExternalAuthenticationOptions> externalOptions,
-            IOptions<TwitterAuthenticationOptions> options,
+            [NotNull] RequestDelegate next,
+            [NotNull] IServiceProvider services,
+            [NotNull] IDataProtectionProvider dataProtectionProvider,
+            [NotNull] ILoggerFactory loggerFactory,
+            [NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
+            [NotNull] IOptions<TwitterAuthenticationOptions> options,
             ConfigureOptions<TwitterAuthenticationOptions> configureOptions = null)
             : base(next, services, options, configureOptions)
         {