Provide AuthenticationProperties from state in OnRemoteFailure

[Tratcher]

DuendeArchive/IdentityServer4#1087 (comment)
When an remote login error occurs you may need to examine the state that flows with that challenge to understand how to handle it. For error scenarios we don't currently deserialize the state for you, and doing it yourself is pretty awkward.

[anit05]

I am trying authentication with google as external provider but it is not asking for permissions and directly logging me in.
Earlier it used to ask for the permissions and i had the option to Allow/Deny.

Do you know if there are any changes in that process ?

[anit05]

@Tratcher ,
thanks for the help earlier.
I am trying to integrate twitter now, but when i deny app the permission , it returnes with
url?denied=mmHukAAAAAAA0Yp2AAABW7PLTo

how can i get return url from there ?

I am using this code :

twitterOptions.Events = new TwitterEvents()
{
OnRemoteFailure = ctx =>
{
var authProperties = twitterOptions.StateDataFormat.Unprotect(ctx.Request.Query["denied"]);
ctx.Response.Redirect("/Account/login");
ctx.HandleResponse();
return Task.FromResult(0);
}
};

Can you please provide me insight into this. ?

[Tratcher]

Twitter is special as it's still using OAuth1a. The AuthProperties aren't serialized into the url, they're only stored in the cookie.

Security/src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

Lines 134 to 152 in cccfbb7

	var properties = new AuthenticationProperties(context.Properties);
	if (string.IsNullOrEmpty(properties.RedirectUri))
	{
	properties.RedirectUri = CurrentUri;
	}
	// If CallbackConfirmed is false, this will throw
	var requestToken = await ObtainRequestTokenAsync(BuildRedirectUri(Options.CallbackPath), properties);
	var twitterAuthenticationEndpoint = AuthenticationEndpoint + requestToken.Token;
	var cookieOptions = new CookieOptions
	{
	HttpOnly = true,
	Secure = Request.IsHttps,
	Expires = Options.SystemClock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
	};
	Response.Cookies.Append(StateCookie, Options.StateDataFormat.Protect(requestToken), cookieOptions);

You get them back like this:

Security/src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

Lines 42 to 51 in cccfbb7

	var protectedRequestToken = Request.Cookies[StateCookie];
	var requestToken = Options.StateDataFormat.Unprotect(protectedRequestToken);
	if (requestToken == null)
	{
	return AuthenticateResult.Fail("Invalid state cookie.");
	}
	properties = requestToken.Properties;

[anit05]

Thanks
Thats unusual but for last couple of days, with google authentication, they are not displaying consent screen to Allow/Deny app. Have there been any changes to this process. ?

Anything that you have got to know ?

[Tratcher]

The consent screen is only show the first time you use/approve an app. To see it again you have to revoke the app's privileges from your account. There is also a prompt parameter you can add.
https://github.com/aspnet/AspNetKatana/blob/b850cd8b4de61e65bbd7127ce02b5df7c4cb6db5/tests/Katana.Sandbox.WebServer/Startup.cs#L219
https://developers.google.com/identity/protocols/OpenIDConnect#re-consent

[anit05]

Thanks
I logged in using twitter . The cookies set are below.
There is no _Twittercookie .
Is there anything i am missing ?

[Tratcher]

Was that for a success or failure? The cookie gets deleted if you succeed.

[anit05]

It was a success
so mean i will have to try for a failure so check for that .
and the fact that when it succeed , it basically comes back to client whereas , in error it stays at Identityserver app.

[anit05]

For google authentication and consent screen,

i have been using it like

   var googleOptions = new GoogleOptions
            {
                AuthenticationScheme = "Google",
                DisplayName = "Google",
                SignInScheme = "Identity.External",
                //SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,

                ClientId = ''
                ClientSecret = ''
              
               
            };

But i do not find any property prompt to specify for the consent . Are you referring to somewhere else for consent screen ?

[Tratcher]

It's per challenge:
https://github.com/aspnet/AspNetKatana/blob/b850cd8b4de61e65bbd7127ce02b5df7c4cb6db5/tests/Katana.Sandbox.WebServer/Startup.cs#L219

[brockallen]

As a side note -- I was working on something related to this today and I'm noticing when errors come back from the OP that neither the nonce or correlation cookies are being cleaned up. I don't know if this has been raised as an issue anywhere else, but I'd think it's something that should be addressed and perhaps in this issue.

In fact, looking at the code, it seems that the expectation is that the nonce cookie key is related to the nonce itself -- this is a problem in an error scenario, as you don't get back an id_token (and thus no nonce). This means there's no way to positively identity which nonce cookie belongs to this error response. If I'm following the code correctly, it seems like that's a design flaw, and might want to be corrected.