Add Microsoft.AspNetCore.Authentication.WsFederation, samples, and tests. #1639
Conversation
| /// CallbackPath to a dedicated endpoint may provide better error handling. | ||
| /// This is disabled by default. | ||
| /// </summary> | ||
| public bool SkipUnrecognizedRequests { get; set; } = false; |
There was a problem hiding this comment.
nit: you don't set some of the other defaults to false
| @@ -0,0 +1,33 @@ | |||
| <Project Sdk="Microsoft.NET.Sdk"> | |||
There was a problem hiding this comment.
Today we only have a single test project, do you want to merge this into a new WsFed folder similar to OIDC?
There was a problem hiding this comment.
We've been trying to separate out OIDC into it's own project for a while but the work keeps getting backlogged. I'm not sure what we'd gain by merging this one.
There was a problem hiding this comment.
I didn't think that was a goal for OIDC, just to refactor/clean up tests. I don't really care one way or another really long term (between one test project per package or one uber test project), but today since there's only one uber test project for all of auth, it seems weird to have this be stand alone.
There was a problem hiding this comment.
Personally I think having all the tests in one project are useful (when doing refactoring especially), running them all together doesn't even take long right now. If these ever become slow then splitting them apart would be more useful, but if we are putting the functional tests in other repos like AuthSamples/Identity/templates, I don't think there's much value in splitting them up
| _configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted); | ||
| } | ||
|
|
||
| string baseUri = |
| Request.Host + | ||
| Request.PathBase; | ||
|
|
||
| string currentUri = |
There was a problem hiding this comment.
Note: Use base.CurrentUri
| properties.RedirectUri = currentUri; | ||
| } | ||
|
|
||
| WsFederationMessage wsFederationMessage = new WsFederationMessage() |
|
|
||
| wsFederationMessage.Wctx = Uri.EscapeDataString(Options.StateDataFormat.Protect(properties)); | ||
|
|
||
| string redirectUri = wsFederationMessage.CreateSignInUrl(); |
| /// The Authentication Scheme to use with SignOutAsync from RemoteSignOutPath. SignInScheme will be used if this | ||
| /// is not set. | ||
| /// </summary> | ||
| public string SignOutScheme { get; set; } |
There was a problem hiding this comment.
Can consider using ForwardSignOut instead.. But I guess this is fine for now, we can clean up the whole signin/signout scheme stuff for the remote handlers in 2.2/3.0
There was a problem hiding this comment.
Let's wait until we figure that out system-wide.
Tratcher
force-pushed
the
tratcher/wsfed21
branch
from
eab171d to
6413305
Compare
|
Updated |
| /// Handles Signout | ||
| /// </summary> | ||
| /// <returns></returns> | ||
| public async virtual Task SignOutAsync(AuthenticationProperties properties) |
There was a problem hiding this comment.
Do you think we should add a SignOutHandler and have this derive from that so you'd only have to implement HandleSignOut like the other helpers? I've been debating adding those base classes for SignIn/SignOut.
There was a problem hiding this comment.
Oh, did those get dropped from the final version? Yeah, it's awkward that all implementors need to include this for the forwarders feature to work. File a followup issue?
There was a problem hiding this comment.
Not dropped, I just merged the minimal changes in for now, nothing was using the new base classes yet so I didn't put them in... we should probably add them if only for wsfed to use... Its a breaking change to change the other ones so I couldn't fix the existing handers to use them...
There was a problem hiding this comment.
It may also be a breaking change for WsFed then, this code was merged into 2.0 first. It's shipping out of band.
There was a problem hiding this comment.
We shipped WsFed already? I just meant its a breaking change on the handlers since we would be making SignOut non virtual and replacing it with protected virtual HandleSignOut etc.
There was a problem hiding this comment.
We've nearly shipped WsFed 2.0.0 as an out of band release. We're only waiting for verification sign-off on the final package. It's also been merged into the next patch release.
| // Did the request end in the actual resource requested for | ||
| Assert.Equal("AuthenticationFailed", await response.Content.ReadAsStringAsync()); | ||
| } | ||
|
|
There was a problem hiding this comment.
Consider adding a test to verify that map'd urls are picked up in redirects, see https://github.com/aspnet/Security/blob/dev/test/Microsoft.AspNetCore.Authentication.Test/FacebookTests.cs#L597
We actually have a large set of common tests now, we should probably consider adding a base handler specification test rather than cloning all of the tests that really should be common across all the handlers. But in the mean time you might want to consider copying a lot of the tests from one of the other common ones from facebook like ThrowsIfAppIdMissing variants, VerifySchemeDefaults, VerifySignInSchemeCannotBeSetToSelfUsingDefaultSignInScheme etc.
There was a problem hiding this comment.
I created #1640 to track moving as many as possible into base classes, so I'd just do the ones specific to wsfed, like VerifySchemeDefaults and the appropriate validations that are required on the options, and the redirect + map test
There was a problem hiding this comment.
Rebased and added a few tests.
|
|
||
| /// <summary> | ||
| /// Indicates if requests to the CallbackPath may also be for other components. If enabled the handler will pass | ||
| /// requests through that do not contain OpenIdConnect authentication responses. Disabling this and setting the |
There was a problem hiding this comment.
Justin offline: OpenIdConnect -> WsFederation
Tratcher
force-pushed
the
tratcher/wsfed21
branch
from
6413305 to
eafc687
Compare
Tratcher
force-pushed
the
tratcher/wsfed21
branch
from
eafc687 to
d95109c
Compare
#1635 Merge the new WsFed package from patch branch into dev
The only diffs from the patch branch involve reacting to the new scheme forwarders in SignOut.
Squashed commits from the patch branch:
#43 Add Microsoft.AspNetCore.Authentication.WsFederation, samples, and tests.
#1443 Block unsolicited wsfed logins by default.
#1520 Update WsFed to use the 2.0 event structure
#1425 Implement WsFed remote signout cleanup
Rework WsFed RemoteSignOutPath logic to work with ADFS #1581
Update versions, dependencies.