Add AdditionalAuthorizationParameters for OAuth/OIDC

[Skulblaka]

I'm trying to create an app that allows my users to sign in with their Atlassian/Jira account. For this I'm using three-legged OAuth (3LA) as describe in https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/ with ASP.NET Core Identity.

As describe in the beforementioned document, their authorize endpoint requires the parameter audience to be set to api.atlassian.com. (See Implementing OAuth 2.0 (3LO), 1. Direct the user to the authorization URL to get an authorization code)

As far as I can tell from the source of OAuthHandler<>.BuildChallengeUrl(AuthenticationProperties, string), it is not possible to configure the audience parameter of the generated challenge url.

Describe the solution you'd like

I would like to be able to configure the audience parameter using OAuthOptions:

services.AddAuthentication().AddOAuth("Jira", options =>
{
    options.Audience = "api.atlassian.com";
});

Alternativly, a more generic solution I would like is something like a Dictionary<string, string> AdditionalAuthorizationParameters:

services.AddAuthentication().AddOAuth("Jira", options =>
{
    options.AdditionalAuthorizationParameters.Add("audience", "api.atlassian.com");
});

Additional context

Based on my quick research, requiring an audience on the Authorization Endpoint using the Authorization Code Grant does not conform to the OAuth protocol as describe in RFC 6749, however I found that at least Auth0 and Atlassian do so.

[Skulblaka]

Found a workaround using OAuthEvents.OnRedirectToAuthorizationEndpoint:

services.AddAuthentication().AddOAuth("Jira", "Jira", options =>
{
// ...
    var onRedirectToAuthorizationEndpoint = options.Events.OnRedirectToAuthorizationEndpoint;
    options.Events.OnRedirectToAuthorizationEndpoint = async context =>
    {
        context.RedirectUri =
            QueryHelpers.AddQueryString(context.RedirectUri, "audience", "api.atlassian.com");
        await onRedirectToAuthorizationEndpoint(context);
    };
// ...
});

[Tratcher]

From a search of https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/, this doesn't seem to be a common requirement. Since so many oauth providers require one-off customizations, the recommendation is to derive from the OAuthHandler and modify the parts you need. Here's an example of changing the challenge url:
https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/blob/990f1bbfdbe1716e1c2bb03722b67b9a24225c4a/src/AspNet.Security.OAuth.Discord/DiscordAuthenticationHandler.cs#L29-L41

@martincostello would something like AdditionalAuthorizationParameters allow consolidating some custom implementations?

Hi @Skulblaka. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[martincostello]

@Tratcher Looking at our providers, it looks like there's 7 providers that could potentially benefit from something like AdditionalAuthorizationParameters, where we could then completely remove our BuildChallengeUrl() overrides and just populate it either in the relevant options class or as a post-configure action:

1. Apple
2. Discord
3. Dropbox
4. Line
5. Reddit
6. Twitch
7. Zalo

[adityamandaleeka]

Triage: we should consider adding something like AdditionalAuthorizationParameters.

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.