Provide AuthenticationProperties from state in OnRemoteFailure

[Tratcher]

DuendeArchive/IdentityServer4#1087 (comment)
When an remote login error occurs you may need to examine the state that flows with that challenge to understand how to handle it. For error scenarios we don't currently deserialize the state for you, and doing it yourself is pretty awkward.

[anit05]

I am trying authentication with google as external provider but it is not asking for permissions and directly logging me in.
Earlier it used to ask for the permissions and i had the option to Allow/Deny.

Do you know if there are any changes in that process ?

[anit05]

@Tratcher ,
thanks for the help earlier.
I am trying to integrate twitter now, but when i deny app the permission , it returnes with
url?denied=mmHukAAAAAAA0Yp2AAABW7PLTo

how can i get return url from there ?

I am using this code :

twitterOptions.Events = new TwitterEvents()
{
OnRemoteFailure = ctx =>
{
var authProperties = twitterOptions.StateDataFormat.Unprotect(ctx.Request.Query["denied"]);
ctx.Response.Redirect("/Account/login");
ctx.HandleResponse();
return Task.FromResult(0);
}
};

Can you please provide me insight into this. ?

[Tratcher]

Twitter is special as it's still using OAuth1a. The AuthProperties aren't serialized into the url, they're only stored in the cookie.

Security/src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

Lines 134 to 152 in cccfbb7

	var properties = new AuthenticationProperties(context.Properties);
	if (string.IsNullOrEmpty(properties.RedirectUri))
	{
	properties.RedirectUri = CurrentUri;
	}
	// If CallbackConfirmed is false, this will throw
	var requestToken = await ObtainRequestTokenAsync(BuildRedirectUri(Options.CallbackPath), properties);
	var twitterAuthenticationEndpoint = AuthenticationEndpoint + requestToken.Token;
	var cookieOptions = new CookieOptions
	{
	HttpOnly = true,
	Secure = Request.IsHttps,
	Expires = Options.SystemClock.UtcNow.Add(Options.RemoteAuthenticationTimeout),
	};
	Response.Cookies.Append(StateCookie, Options.StateDataFormat.Protect(requestToken), cookieOptions);

You get them back like this:

Security/src/Microsoft.AspNetCore.Authentication.Twitter/TwitterHandler.cs

Lines 42 to 51 in cccfbb7

	var protectedRequestToken = Request.Cookies[StateCookie];
	var requestToken = Options.StateDataFormat.Unprotect(protectedRequestToken);
	if (requestToken == null)
	{
	return AuthenticateResult.Fail("Invalid state cookie.");
	}
	properties = requestToken.Properties;

[anit05]

Thanks
Thats unusual but for last couple of days, with google authentication, they are not displaying consent screen to Allow/Deny app. Have there been any changes to this process. ?

Anything that you have got to know ?

[Tratcher]

The consent screen is only show the first time you use/approve an app. To see it again you have to revoke the app's privileges from your account. There is also a prompt parameter you can add.
https://github.com/aspnet/AspNetKatana/blob/b850cd8b4de61e65bbd7127ce02b5df7c4cb6db5/tests/Katana.Sandbox.WebServer/Startup.cs#L219
https://developers.google.com/identity/protocols/OpenIDConnect#re-consent

[anit05]

Thanks
I logged in using twitter . The cookies set are below.
There is no _Twittercookie .
Is there anything i am missing ?

[Tratcher]

Was that for a success or failure? The cookie gets deleted if you succeed.

[anit05]

It was a success
so mean i will have to try for a failure so check for that .
and the fact that when it succeed , it basically comes back to client whereas , in error it stays at Identityserver app.

[anit05]

For google authentication and consent screen,

i have been using it like

   var googleOptions = new GoogleOptions
            {
                AuthenticationScheme = "Google",
                DisplayName = "Google",
                SignInScheme = "Identity.External",
                //SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,

                ClientId = ''
                ClientSecret = ''
              
               
            };

But i do not find any property prompt to specify for the consent . Are you referring to somewhere else for consent screen ?

[Tratcher]

It's per challenge:
https://github.com/aspnet/AspNetKatana/blob/b850cd8b4de61e65bbd7127ce02b5df7c4cb6db5/tests/Katana.Sandbox.WebServer/Startup.cs#L219