Add RemoteAuthenticationHandler base (support for error handling)

[HaoK]

cc @Tratcher

[dnfclas]

Hi @HaoK, I'm your friendly neighborhood .NET Foundation Pull Request Bot (You can call me DNFBOT). Thanks for your contribution!
You've already signed the contribution license agreement. Thanks!

The agreement was validated by .NET Foundation and real humans are currently evaluating your PR.

TTYL, DNFBOT;

[HaoK]

Not sure where best to integrate this with ODIC yet. Also still need to see if this makes sense in Cookies anywhere

[kevinchalet]

I'm not sure this property is general enough to put in the base AuthenticationOptions.

[HaoK]

Where else could it live if we want the common error handler logic in the base handler?

[kevinchalet]

The question is: do we want to have that in the base handler? This error handling is only applicable to authentication handlers implementing InvokeAsync (since you can't control the flow elsewhere) and I'm not sure all middleware will implement it.

[HaoK]

Yeah well the other option is to introduce a base class for all of the Invoke style middlewares (not cookie/bearer) basically. I've been leaning towards that anyways, I'm not opposed to taking a stab at that and moving this error handling into the new common base. We need to rename InvokeAsync anyways, that name is terrible.

[HaoK]

Perhaps RedirectingAuthenticationMiddleware as the name of the new shared base class for OAuth/OIDC/Twitter

[kevinchalet]

What do you mean exactly by "common flows"? It sounds like a crazy idea 😄

[HaoK]

Yeah you and @Tratcher both think I'm crazy :)

[HaoK]

@PinpointTownes see new RemoteAuthenticationHandler shared base class, @Tratcher has grudgingly come around to its value... standardizes Invoke path for OAuth/Twitter/OIDC

[Tratcher]

This isn't needed anymore, correct?

[HaoK]

Yep nuking

[HaoK]

Updated with major changes:

• Depends on HttpAbstractions: PR Auth changes: error handling + make error txt less sucky HttpAbstractions#421
• Removed bools from protected Handle methods and use context.IsResponseCompleted
• HandleAuthenticate now returns AuthenticateResult which contains Ticket and ErrorContext
• ErrorContext contains an error message and optional error uri for redirect

[HaoK]

Updated with a stab at moving InvokeReplyPath to a new RemoteAuthenticationHandler base for OAuth and Twitter, I also sucked some of the common options into here as well like (BackChannel/CallbackPath). I also moved SigningIn to this base class/options, but I'm not even sure we really need this event anymore...

[kevinchalet]

I'm not opposed to re-throwing exceptions by default at this stage. But they MUST be caught somewhere: we can't afford returning a 500 response for a simple invalid/expired token.

[HaoK]

Make sure we don't forget about this. Once the higher level changes are agreed on, the fun process of going through each of the specific error/exception paths needs to be reviewed :/

[HaoK]

New iteration changes:
RemoteAuthorizationOptions is now the base class for OAuth/Twitter/OpenIdConnectOptions. It has a separate IRemoteEvents property which contains the Error and SigningIn events which are only invoked via the newly renamed HandleRemoteCallbackAsync. The old handler specific events are unchanged and continue to live in their stand alone Events property.

HandleErrorAsync is a no-op in the base AuthHandler, and overridden in RemoteHandler to invoke the Error event on RemoteOptions.RemoteEvents.

[HaoK]

Update:

• Only RemoteAuthenticationHandler/Invoke code paths use and inspect the ErrorContext.
• No events for TicketReceived/RemoteError, as that would pose issues with the derived handlers having to cast, or using new. (I think we should just nuke all of the event classes and switch to simple delegates for each on the options directly).
• Nuked generics off of the base context types, instead each group (OAuth/Twitter/OIDC/Cookies) defines the correctly typed TOption lower down in their respective places.
• OAuth/OIDC now return error authentication results instead of null tickets
• Convenience methods of AuthenticationResult.Success/Failed

TBD: Renaming OIDC events, and adding control flow to cookies to see if BaseContext can be merged with BaseControlContext

[kevinchalet]

Nice 😄

@PinpointTownes see new RemoteAuthenticationHandler shared base class, @Tratcher has grudgingly come around to its value... standardizes Invoke path for OAuth/Twitter/OIDC

Actually, it doesn't look that bad but... 😄

No events for TicketReceived/RemoteError, as that would pose issues with the derived handlers having to cast, or using new. (I think we should just nuke all of the event classes and switch to simple delegates for each on the options directly).

Outch, it's a horrible pattern that will kill hundreds of poor kittens 😢
If this is the price to pay for having a new RemoteAuthenticationHandler, I'm not sure it's really worth it: events are for advanced flow control. Merging them with the options would create too much noise and make the real events harder to discover.

Nuked generics off of the base context types, instead each group (OAuth/Twitter/OIDC/Cookies) defines the correctly typed TOption lower down in their respective places.

Curious: what's the benefit? 😮

Convenience methods of AuthenticationResult.Success/Failed

Oh yeah, it's much nicer 👍

That said, I know wonder why we need this class at all, since it simply exposes the ticket and an exception... why not simply returning the ticket and throwing exceptions? 😄
Also, I'm not sure how I feel when I see one of the Failed methods creating an exception on-the-fly without ever throwing it.

[kevinchalet]

Is this needed?

[HaoK]

Leftover turds from previous iterations, nuking thanks :)

[HaoK]

So the other option which I had previously was keeping the base remote events in a separate IRemoteEvents property on the base options so they don't interfere with the actual provider events.

options.RemoteEvents = new RemoteEvents() { OnError = ... }; (note I've come around fully to @Tratcher's view that the events should just be simple delegates without methods/interface)

[HaoK]

Updated: AuthenticationResult.Sucess to throw if a null ticket is provided, so the only time Ticket should be null is via the Failed method

[Tratcher]

Agreed.

[HaoK]

Introduced new protected virtual HandleRemoteAuthenticateAsync to RemoteAuthenticationHandler and moved all the Invoke path logic there (old HandleAuthenticate method now returns a failed authenticated result). We should consider if its more appropriate to use a no-op successful empty ticket like before

[HaoK]

@Tratcher Updated with new iteration based on what we decided on:

Put events back into the base Event property and use it as a new base

[Tratcher]

Remove empty docs, doesn't return anything.

[HaoK]

Updated with the new iteration:

• Split AutomaticAuthentication into AutomaticChallenge / AutomaticAuthenticate
• Brought back bool control flow for Unauthorized/Challenge
• OAuth throws with no catch which is a temporary behavior change until we revisit error handling in the next PR

@Tratcher

[Tratcher]

This one should also use AutomaticChallenge. See https://github.com/aspnet/Security/blob/haok9-25/errors/samples/SocialSample/Startup.cs#L225

[Tratcher]

Almost done ⌚

[kevinchalet]

Curious: why do you need this?

[HaoK]

We nuked Options/Generics off of the base contexts, and just added them all back in the specific OAuth/Cookies/Facebook contexts themselves.

        public CookieAuthenticationOptions Options { get; }

[HaoK]

Updated, any last requests? I'll push this tomorrow in the afternoon, MVC/Identity changes look to be fairly small surprisingly :)

[HaoK]

409b502 will address any remaining issues in next iteration/PR

[Tratcher]

I'm still trying to understand how you would get to this point without a principal or ReturnUri. I would expect all of those cases to be error conditions handled above.

[HaoK]

The event can simply null out the principal or return uri, its settable on the context today

[Tratcher]

That would mean you're using the context property values as a form of flow control. Since we have real flow control now I don't think we should support the old hacky approach.

[HaoK]

Make the context properties read only for Ticket/Principal then? I'm fine with that :)

[Tratcher]

No, we still want to allow people to replace it, but I don't think we should support null values.

[HaoK]

The problem is we allow AuthenticationTickets with null principals. So we can't easily block this unless we change that.

[eriksendc]

Hi All,

Before posting a new issue I wanted to see if perhaps this issue was about or related to an issue I'm having. I'm on RC1, When a user selects to authenticate w/Facebook, and they put in their user name and password correctly, but clicks the Cancel button on the "this is what the app is requesting" confirmation, then the user's browser is redirected to

https://localhost:44300/signin-facebook?error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied&state=CfDJ8BCOQ9uBPU9Cu4ITtOhOeD-LHOt2vhRmJu5_xD4rvL3zm4ka-ak_iYgNuIJOOjjMsO1Fg5p5Tb8Fll6CJ064ysTkRrC46xaeG_vu5sFQdpPKjjGPokfsPnndPsB84CnDmRIzjwLeGgYzbESqjjGyAFUmSACDAYLo9LmmA8HJNPcdJIxTvcrepdr0GfE2DhJtP_D0Z7wNxyzJw1Jf8pGprHP8P4Q130hpmFzOLA2UCwjXYPxijlOP9LpY6Pgz66PKVJt_nO-6e0yA7aStVJTCOH8ic-I2xRguFAWXpfoim8wlqaizDupXFBBgeBtw9RvopkxKENby2N89okirRZSFK6FTLZJaG7RKxEWv_aUZskoFKmrKrkZDm0Ur3DyWnH53fQ#_=_

Control doesn't seem to be flowing back to my ASP.NET web application (I never get back anything in any /Account/xxx account controller method.

Wanted to report as an issue if it isn't one yet, but didn't want to add a new issue if this has already been fixed.

Thanks,
-Brian Eriksen

[kevinchalet]

@eriksendc hey,

There's actually a ticket tracking that: #710.

[eriksendc]

Thx!