Add MapIdentity<TUser>()

Author: halter73

AspNetCore.sln

@@ -1780,6 +1780,12 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Compon
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BlazorUnitedApp", "src\Components\Samples\BlazorUnitedApp\BlazorUnitedApp.csproj", "{F5AE525F-F435-40F9-A567-4D5EC3B50D6E}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Endpoints", "Endpoints", "{C41B35C8-A8CE-445B-A642-9139EE86427A}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.Identity.Endpoints", "src\Identity\Endpoints\src\Microsoft.AspNetCore.Identity.Endpoints.csproj", "{504CBD60-5CD7-4468-9A5A-8C11DECE268A}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IdentitySample.Endpoints", "src\Identity\samples\IdentitySample.Endpoints\IdentitySample.Endpoints.csproj", "{9F6A0033-5253-46FE-A51B-1813C49EC11F}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -10701,6 +10707,38 @@ Global
 		{F5AE525F-F435-40F9-A567-4D5EC3B50D6E}.Release|x64.Build.0 = Release|Any CPU
 		{F5AE525F-F435-40F9-A567-4D5EC3B50D6E}.Release|x86.ActiveCfg = Release|Any CPU
 		{F5AE525F-F435-40F9-A567-4D5EC3B50D6E}.Release|x86.Build.0 = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|arm64.Build.0 = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|x64.Build.0 = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Debug|x86.Build.0 = Debug|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|arm64.ActiveCfg = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|arm64.Build.0 = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|x64.ActiveCfg = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|x64.Build.0 = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|x86.ActiveCfg = Release|Any CPU
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A}.Release|x86.Build.0 = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|arm64.Build.0 = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|x64.Build.0 = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Debug|x86.Build.0 = Debug|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|arm64.ActiveCfg = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|arm64.Build.0 = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|x64.ActiveCfg = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|x64.Build.0 = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|x86.ActiveCfg = Release|Any CPU
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -11580,6 +11618,9 @@ Global
 		{AE4D272D-6F13-42C8-9404-C149188AFA33} = {7BAEB9BF-28F4-4DFD-9A04-E5193683C261}
 		{5D438258-CB19-4282-814F-974ABBC71411} = {7BAEB9BF-28F4-4DFD-9A04-E5193683C261}
 		{F5AE525F-F435-40F9-A567-4D5EC3B50D6E} = {5FE1FBC1-8CE3-4355-9866-44FE1307C5F1}
+		{C41B35C8-A8CE-445B-A642-9139EE86427A} = {9F21A235-436E-4020-A076-1DF4F89D0CA0}
+		{504CBD60-5CD7-4468-9A5A-8C11DECE268A} = {C41B35C8-A8CE-445B-A642-9139EE86427A}
+		{9F6A0033-5253-46FE-A51B-1813C49EC11F} = {64B2A28F-6D82-4F2B-B0BB-88DE5216DD2C}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3E8720B3-DBDD-498C-B383-2CC32A054E8F}

eng/Dependencies.props

@@ -73,7 +73,6 @@ and are generated based on the last package release.
     <LatestPackageReference Include="System.Diagnostics.DiagnosticSource" />
     <LatestPackageReference Include="System.Diagnostics.EventLog" />
     <LatestPackageReference Include="System.DirectoryServices.Protocols" />
-    <LatestPackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <LatestPackageReference Include="System.IO.Pipelines" />
     <LatestPackageReference Include="System.Net.Http" />
     <LatestPackageReference Include="System.Net.Http.Json" />
@@ -153,6 +152,7 @@ and are generated based on the last package release.
     <LatestPackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" />
     <LatestPackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <LatestPackageReference Include="Microsoft.IdentityModel.Protocols.WsFederation" />
+    <LatestPackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
     <LatestPackageReference Include="Microsoft.Internal.AspNetCore.H2Spec.All" />
     <LatestPackageReference Include="Microsoft.NETCore.Windows.ApiSets" />
     <LatestPackageReference Include="Microsoft.NETCore.BrowserDebugHost.Transport" />
@@ -163,6 +163,7 @@ and are generated based on the last package release.
     <LatestPackageReference Include="NETStandard.Library" />
     <LatestPackageReference Include="System.Net.Experimental.MsQuic" />
     <LatestPackageReference Include="System.Net.Http.WinHttpHandler" />
+    <LatestPackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <LatestPackageReference Include="System.ServiceProcess.ServiceController" />
     <LatestPackageReference Include="System.Threading.Tasks.Extensions" />
   </ItemGroup>

eng/ProjectReferences.props

@@ -39,6 +39,7 @@
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Html.Abstractions" ProjectPath="$(RepoRoot)src\Html.Abstractions\src\Microsoft.AspNetCore.Html.Abstractions.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.ApiAuthorization.IdentityServer" ProjectPath="$(RepoRoot)src\Identity\ApiAuthorization.IdentityServer\src\Microsoft.AspNetCore.ApiAuthorization.IdentityServer.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Identity" ProjectPath="$(RepoRoot)src\Identity\Core\src\Microsoft.AspNetCore.Identity.csproj" />
+    <ProjectReferenceProvider Include="Microsoft.AspNetCore.Identity.Endpoints" ProjectPath="$(RepoRoot)src\Identity\Endpoints\src\Microsoft.AspNetCore.Identity.Endpoints.csproj" />
     <ProjectReferenceProvider Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" ProjectPath="$(RepoRoot)src\Identity\EntityFrameworkCore\src\Microsoft.AspNetCore.Identity.EntityFrameworkCore.csproj" />
     <ProjectReferenceProvider Include="Microsoft.Extensions.Identity.Core" ProjectPath="$(RepoRoot)src\Identity\Extensions.Core\src\Microsoft.Extensions.Identity.Core.csproj" />
     <ProjectReferenceProvider Include="Microsoft.Extensions.Identity.Stores" ProjectPath="$(RepoRoot)src\Identity\Extensions.Stores\src\Microsoft.Extensions.Identity.Stores.csproj" />

eng/TrimmableProjects.props

@@ -33,6 +33,7 @@
     <TrimmableProject Include="Microsoft.AspNetCore.WebUtilities" />
     <TrimmableProject Include="Microsoft.AspNetCore.Html.Abstractions" />
     <TrimmableProject Include="Microsoft.AspNetCore.Identity" />
+    <TrimmableProject Include="Microsoft.AspNetCore.Identity.Endpoints" />
     <TrimmableProject Include="Microsoft.Extensions.Identity.Core" />
     <TrimmableProject Include="Microsoft.Extensions.Identity.Stores" />
     <TrimmableProject Include="Microsoft.AspNetCore.Connections.Abstractions" />

eng/Versions.props

@@ -220,9 +220,10 @@
     <MicrosoftCodeAnalysisCSharpAnalyzerTestingXUnitVersion>1.1.2-beta1.22531.1</MicrosoftCodeAnalysisCSharpAnalyzerTestingXUnitVersion>
     <MicrosoftCodeAnalysisCSharpCodeFixTestingXUnitVersion>1.1.2-beta1.22531.1</MicrosoftCodeAnalysisCSharpCodeFixTestingXUnitVersion>
     <MicrosoftCssParserVersion>1.0.0-20200708.1</MicrosoftCssParserVersion>
-    <MicrosoftIdentityModelLoggingVersion>6.15.1</MicrosoftIdentityModelLoggingVersion>
-    <MicrosoftIdentityModelProtocolsOpenIdConnectVersion>6.15.1</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
-    <MicrosoftIdentityModelProtocolsWsFederationVersion>6.15.1</MicrosoftIdentityModelProtocolsWsFederationVersion>
+    <MicrosoftIdentityModelJsonWebTokensVersion>6.27.0</MicrosoftIdentityModelJsonWebTokensVersion>
+    <MicrosoftIdentityModelLoggingVersion>6.27.0</MicrosoftIdentityModelLoggingVersion>
+    <MicrosoftIdentityModelProtocolsOpenIdConnectVersion>6.27.0</MicrosoftIdentityModelProtocolsOpenIdConnectVersion>
+    <MicrosoftIdentityModelProtocolsWsFederationVersion>6.27.0</MicrosoftIdentityModelProtocolsWsFederationVersion>
     <MicrosoftInternalAspNetCoreH2SpecAllVersion>2.2.1</MicrosoftInternalAspNetCoreH2SpecAllVersion>
     <MicrosoftNETCoreWindowsApiSetsVersion>1.0.1</MicrosoftNETCoreWindowsApiSetsVersion>
     <MicrosoftOwinSecurityCookiesVersion>3.0.1</MicrosoftOwinSecurityCookiesVersion>

src/Identity/Core/src/IdentityConstants.cs

@@ -8,25 +8,30 @@ namespace Microsoft.AspNetCore.Identity;
 /// </summary>
 public class IdentityConstants
 {
-    private const string CookiePrefix = "Identity";
+    private const string IdentityPrefix = "Identity";
 
     /// <summary>
     /// The scheme used to identify application authentication cookies.
     /// </summary>
-    public static readonly string ApplicationScheme = CookiePrefix + ".Application";
+    public static readonly string ApplicationScheme = IdentityPrefix + ".Application";
+
+    /// <summary>
+    /// The scheme used to identify bearer authentication tokens.
+    /// </summary>
+    public static readonly string BearerScheme = IdentityPrefix + ".Bearer";
 
     /// <summary>
     /// The scheme used to identify external authentication cookies.
     /// </summary>
-    public static readonly string ExternalScheme = CookiePrefix + ".External";
+    public static readonly string ExternalScheme = IdentityPrefix + ".External";
 
     /// <summary>
     /// The scheme used to identify Two Factor authentication cookies for saving the Remember Me state.
     /// </summary>
-    public static readonly string TwoFactorRememberMeScheme = CookiePrefix + ".TwoFactorRememberMe";
+    public static readonly string TwoFactorRememberMeScheme = IdentityPrefix + ".TwoFactorRememberMe";
 
     /// <summary>
     /// The scheme used to identify Two Factor authentication cookies for round tripping user identities.
     /// </summary>
-    public static readonly string TwoFactorUserIdScheme = CookiePrefix + ".TwoFactorUserId";
+    public static readonly string TwoFactorUserIdScheme = IdentityPrefix + ".TwoFactorUserId";
 }

src/Identity/Core/src/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 #nullable enable
+static readonly Microsoft.AspNetCore.Identity.IdentityConstants.BearerScheme -> string!
 virtual Microsoft.AspNetCore.Identity.SignInManager<TUser>.IsTwoFactorEnabledAsync(TUser! user) -> System.Threading.Tasks.Task<bool>!

src/Identity/Endpoints/src/ConfigureIdentityEndpointJsonOptions.cs

@@ -0,0 +1,20 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.AspNetCore.Identity.Endpoints.DTO;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.Identity.Endpoints;
+
+// Review: This is trying to do a similar thing to ProblemDetailsOptionsSetup.
+// Is this what we landed on for now? Should we update that too? AddContext will be obsolete soon.
+// See: https://github.com/dotnet/runtime/issues/83280
+internal sealed class PostConfigureIdentityEndpointJsonOptions : IPostConfigureOptions<JsonOptions>
+{
+    public void PostConfigure(string? name, JsonOptions options)
+    {
+        // Add our resolver first so it isn't overridden by the default reflection-based resolver.
+        options.SerializerOptions.TypeInfoResolverChain.Insert(0, IdentityEndpointJsonSerializerContext.Default);
+    }
+}

src/Identity/Endpoints/src/DTO/AccessTokenResponse.cs

@@ -0,0 +1,21 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Text.Json.Serialization;
+
+namespace Microsoft.AspNetCore.Identity.Endpoints.DTO;
+
+internal sealed class AccessTokenResponse
+{
+    [JsonPropertyName("token_type")]
+    public string TokenType { get; } = "Bearer";
+
+    [JsonPropertyName("access_token")]
+    public required string AccessToken { get; init; }
+
+    [JsonPropertyName("expires_in")]
+    public required double ExpiresInTotalSeconds { get; init; }
+
+    // TODO: [JsonPropertyName("refresh_token")]
+    // public required string RefreshToken { get; init; }
+}

src/Identity/Endpoints/src/DTO/IdentityEndpointJsonSerializerContext.cs

@@ -0,0 +1,13 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Text.Json.Serialization;
+
+namespace Microsoft.AspNetCore.Identity.Endpoints.DTO;
+
+[JsonSerializable(typeof(RegisterRequest))]
+[JsonSerializable(typeof(LoginRequest))]
+[JsonSerializable(typeof(AccessTokenResponse))]
+internal sealed partial class IdentityEndpointJsonSerializerContext : JsonSerializerContext
+{
+}

src/Identity/Endpoints/src/DTO/LoginRequest.cs

@@ -0,0 +1,12 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Identity.Endpoints.DTO;
+
+internal sealed class LoginRequest
+{
+    public required string Username { get; init; }
+    public required string Password { get; init; }
+    public bool CookieMode { get; init; }
+    // TODO: public string? TfaCode { get; set; }
+}

src/Identity/Endpoints/src/DTO/RegisterRequest.cs

@@ -0,0 +1,12 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Identity.Endpoints.DTO;
+
+// TODO: Register DTOs with JsonSerializerOptions.TypeInfoResolverChain (was previously the soon-to-be-obsolete AddContext)
+internal sealed class RegisterRequest
+{
+    public required string Username { get; init; }
+    public required string Password { get; init; }
+    // TODO: public string? Email { get; set; }
+}

src/Identity/Endpoints/src/IdentityBearerAuthenticationHandler.cs

@@ -0,0 +1,111 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity.Endpoints.DTO;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.Net.Http.Headers;
+
+namespace Microsoft.AspNetCore.Identity.Endpoints;
+
+internal sealed class IdentityBearerAuthenticationHandler : SignInAuthenticationHandler<IdentityBearerAuthenticationOptions>
+{
+    private const string BearerTokenPurpose = $"Microsoft.AspNetCore.Identity.Endpoints.IdentityBearerAuthenticationHandler:v1:BearerToken";
+
+    private static readonly Task<AuthenticateResult> TokenMissingTask = Task.FromResult(AuthenticateResult.Fail("Token missing"));
+    private static readonly Task<AuthenticateResult> FailedUnprotectingTokenTask = Task.FromResult(AuthenticateResult.Fail("Unprotect token failed"));
+    private static readonly Task<AuthenticateResult> TokenExpiredTask = Task.FromResult(AuthenticateResult.Fail("Token expired"));
+
+    private readonly IDataProtectionProvider _fallbackDataProtectionProvider;
+
+    public IdentityBearerAuthenticationHandler(
+        IOptionsMonitor<IdentityBearerAuthenticationOptions> optionsMonitor,
+        ILoggerFactory loggerFactory,
+        UrlEncoder urlEncoder,
+        ISystemClock clock,
+        IDataProtectionProvider dataProtectionProvider)
+        : base(optionsMonitor, loggerFactory, urlEncoder, clock)
+    {
+        _fallbackDataProtectionProvider = dataProtectionProvider;
+    }
+
+    private IDataProtectionProvider DataProtectionProvider
+        => Options.DataProtectionProvider ?? _fallbackDataProtectionProvider;
+
+    private ISecureDataFormat<AuthenticationTicket> BearerTokenProtector
+        => Options.BearerTokenProtector ?? new TicketDataFormat(DataProtectionProvider.CreateProtector(BearerTokenPurpose));
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        // If there's no bearer token, forward to cookie auth.
+        if (GetBearerTokenOrNull() is not string token)
+        {
+            return Options.BearerTokenMissingFallbackScheme is string fallbackScheme
+                ? Context.AuthenticateAsync(fallbackScheme)
+                : TokenMissingTask;
+        }
+
+        var ticket = BearerTokenProtector.Unprotect(token);
+
+        if (ticket?.Properties?.ExpiresUtc is null)
+        {
+            return FailedUnprotectingTokenTask;
+        }
+
+        if (Clock.UtcNow >= ticket.Properties.ExpiresUtc)
+        {
+            return TokenExpiredTask;
+        }
+
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+
+    protected override Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        // If there's no bearer token, forward to cookie auth.
+        if (GetBearerTokenOrNull() is null)
+        {
+            return Options.BearerTokenMissingFallbackScheme is string fallbackScheme
+                ? Context.AuthenticateAsync(fallbackScheme)
+                : TokenMissingTask;
+        }
+
+        Response.Headers.Append(HeaderNames.WWWAuthenticate, "Bearer");
+        return base.HandleChallengeAsync(properties);
+    }
+
+    protected override Task HandleSignInAsync(ClaimsPrincipal user, AuthenticationProperties? properties)
+    {
+        properties ??= new();
+        properties.ExpiresUtc ??= Clock.UtcNow + Options.BearerTokenExpiration;
+
+        var ticket = new AuthenticationTicket(user, properties, Scheme.Name);
+        var accessTokenResponse = new AccessTokenResponse
+        {
+            AccessToken = BearerTokenProtector.Protect(ticket),
+            ExpiresInTotalSeconds = Options.BearerTokenExpiration.TotalSeconds,
+        };
+
+        return Context.Response.WriteAsJsonAsync(accessTokenResponse);
+    }
+
+    protected override Task HandleSignOutAsync(AuthenticationProperties? properties)
+        => throw new NotSupportedException($"""
+Sign out is not currently supported by identity bearer tokens.
+If you want to delete cookies or clear a session, specify "{Options.BearerTokenMissingFallbackScheme}" as the authentication scheme.
+""");
+
+    private string? GetBearerTokenOrNull()
+    {
+        var authorization = Request.Headers.Authorization.ToString();
+
+        return authorization.StartsWith("Bearer ", StringComparison.Ordinal)
+            ? authorization["Bearer ".Length..]
+            : null;
+    }
+}