Should RemoteAuthenticationOptions validate SignInScheme != null?

[HaoK]

This should validation was lost at some point, SignInScheme is required for remote auth.

[HaoK]

Or maybe we removed this validation to enable calling the default sign in scheme...

[davidfowl]

Can we also validate and SignInScheme != Scheme, are the schemes stored on the instances of the handlers themselves?

[HaoK]

We will likely have to validate that outside of the normal validation (not AuthenticationSchemeOptions.Validate, but inside of the base RemoteAuthenticationHandler itself to have access to the scheme name, and we'd likely have to also explicitly check for when its the default that fallback to itself as well.

[kevinchalet]

Can we also validate and SignInScheme != Scheme, are the schemes stored on the instances of the handlers themselves?

Exactly what I had recommended here: #1264 (comment)

We will likely have to validate that outside of the normal validation

You can easily do that in EnsureSignInScheme as you have access to both names:

Security/src/Microsoft.AspNetCore.Authentication/AuthenticationServiceCollectionExtensions.cs

Lines 98 to 101 in 488eb44

	public void PostConfigure(string name, TOptions options)
	{
	options.SignInScheme = options.SignInScheme ?? _authOptions.DefaultSignInScheme;
	}

[Tratcher]

Related issue to address:

Security/src/Microsoft.AspNetCore.Authentication/AuthenticationServiceCollectionExtensions.cs

Lines 98 to 101 in 488eb44

	public void PostConfigure(string name, TOptions options)
	{
	options.SignInScheme = options.SignInScheme ?? _authOptions.DefaultSignInScheme;
	}

There should be an additional ?? _authOptions.DefaultScheme; for when DefaultSignInScheme isn't set. That's what was starting some of the stack overlfows by passing nulls.