Do not serialize Parameters

Explicitly prevent the Parameters dictionary from being included in the deserialized payload.
See dotnet#31330 (comment).

Author: martincostello

src/Http/Authentication.Abstractions/src/AuthenticationProperties.cs

@@ -65,6 +65,7 @@ public AuthenticationProperties Clone()
         /// Collection of parameters that are passed to the authentication handler. These are not intended for
         /// serialization or persistence, only for flowing data between call sites.
         /// </summary>
+        [JsonIgnore]
         public IDictionary<string, object?> Parameters { get; }
 
         /// <summary>

src/Http/Authentication.Core/test/AuthenticationPropertiesTests.cs

@@ -320,6 +320,12 @@ public void Roundtrip_Serializes_With_SystemTextJson()
             props.Parameters.Add("baz", "quux");
 
             var json = JsonSerializer.Serialize(props);
+
+            // Verify that Parameters was not serialized
+            Assert.NotNull(json);
+            Assert.DoesNotContain("baz", json);
+            Assert.DoesNotContain("quux", json);
+
             var deserialized = JsonSerializer.Deserialize<AuthenticationProperties>(json);
 
             Assert.NotNull(deserialized);
@@ -339,6 +345,20 @@ public void Roundtrip_Serializes_With_SystemTextJson()
             Assert.Equal(0, deserialized.Parameters.Count);
         }
 
+        [Fact]
+        public void Parameters_Is_Not_Deserialized_With_SystemTextJson()
+        {
+            var json = @"{""Parameters"":{""baz"":""quux""}}";
+
+            var deserialized = JsonSerializer.Deserialize<AuthenticationProperties>(json);
+
+            Assert.NotNull(deserialized);
+
+            // Ensure that parameters is not deserialized from a raw payload
+            Assert.NotNull(deserialized!.Parameters);
+            Assert.Equal(0, deserialized.Parameters.Count);
+        }
+
         public class MyAuthenticationProperties : AuthenticationProperties
         {
             public new DateTimeOffset? GetDateTimeOffset(string key)