Consider requiring callback path #455
Description
OIDC is the only middleware with an optional callback path, and it's not set by default.
HandleAuthenticateAsync:
if (Options.CallbackPath.HasValue && Options.CallbackPath != (Request.PathBase + Request.Path))
This results in it reading every query string or form body and trying to authenticate.
WsFed needed this this because it could accept logins without first sending a challenge. OIDC doesn't support this because State, Nonce, correlation id, etc. are required.
The only other argument I remember for this design was that developers may not control the value, it may be dicated by the IDP. Even in that case, they should be able to set the path to whatever the IDP requires (usually /).
Consider making callback path required and provide a default value.