Support AuthenticationOptions modification per request
See original GitHub issueI want to authenticate ASP.NET OWIN app using OpenIdConnect provider. My app is multi-tenant and tenant is distinguished by subdomain.
There is an ability to do some stuff before request is sent on RedirectToIdentityProvider event. And it even exposes Options that are mutable. Which leads to crazy stupid errors
Pay attention to my comments in this snippet
OpenIdConnectAuthenticationOptions openIdConnectOptions = null;
openIdConnectOptions = new OpenIdConnectAuthenticationOptions
{
Authority = authority,
ClientId = clientId,
ClientSecret = clientSecret,
RedirectUri = "signin-oidc",
PostLogoutRedirectUri = "signout-oidc",
ResponseType = string.Join(" ", new string[]
{
OpenIdConnectConstants.ResponseTypes.Code,
OpenIdConnectConstants.ResponseTypes.IdToken,
OpenIdConnectConstants.ResponseTypes.Token
}),
Scope = string.Join(" ", new string[]
{
OpenIdConnectConstants.Scopes.OpenId,
OpenIdConnectConstants.Scopes.Email,
OpenIdConnectConstants.Scopes.Profile,
OpenIdConnectConstants.Scopes.OfflineAccess
}),
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = OpenIdConnectConstants.Claims.Email,
RoleClaimType = OpenIdConnectConstants.Claims.Role
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
...
},
RedirectToIdentityProvider = n =>
{
// SAME MUTABLE INSTANCE
bool equals = object.ReferenceEquals(n.Options, openIdConnectOptions);
Uri requestUri = n.Request.Uri;
var options = n.Options;
// I MUTATE IT
// IMAGINE WHICH CRAZY MULTITHREADING ERRORS CAN HAPPEN!!!
options.RedirectUri = requestUri.ToString() + "signin-oidc";
options.PostLogoutRedirectUri = requestUri.ToString() + "signout-oidc";
options.Resource = TenantHelper.GetTenantName(requestUri);
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var idTokenHint = n.OwinContext.Authentication.User.GetClaim(OpenIdConnectConstants.Parameters.IdToken);
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint;
}
}
return Task.CompletedTask;
}
}
};
app.UseOpenIdConnectAuthentication(openIdConnectOptions);
You must protect average user from such errors!!! It is a very bad and inflexible design!!!
I think it architecture must be redesigned to fix this design issue and allow to modify options per request.
My proposal 1:
- Make options clonable
- Change this line to pass options clone https://github.com/aspnet/AspNetKatana/blob/64bf627964ca9bd312cfda31916194212731c11c/src/Microsoft.Owin.Security/Infrastructure/AuthenticationMiddleware.cs#L27
My proposal 2:
- Make all options read only
- Change to
protected set
https://github.com/aspnet/AspNetKatana/blob/64bf627964ca9bd312cfda31916194212731c11c/src/Microsoft.Owin.Security/Infrastructure/AuthenticationHandler`1.cs#L14 - Change to
set
https://github.com/aspnet/AspNetKatana/blob/64bf627964ca9bd312cfda31916194212731c11c/src/Microsoft.Owin.Security/Provider/BaseContext`1.cs#L19 - Add
Options = notification.Options;
after https://github.com/aspnet/AspNetKatana/blob/64bf627964ca9bd312cfda31916194212731c11c/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L93 https://github.com/aspnet/AspNetKatana/blob/64bf627964ca9bd312cfda31916194212731c11c/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L164
Issue Analytics
- State:
- Created 5 years ago
- Comments:15 (5 by maintainers)
Top Results From Across the Web
Microsoft.AspNetCore.Authentication Namespace
Created per request to handle authentication for a particular scheme. IAuthenticationHandlerProvider. Provides the appropriate IAuthenticationHandler instance ...
Read more >Change OWIN Auth Middleware Per Request (Multi-tenant ...
I'm investigating this problem for my own project which needs to support multi tenants based on either the host name or the first...
Read more >Creating an authentication scheme in ASP.NET Core 2.0
How to make authentication handlers in ASP.NET Core 2.0, and walks through a naive implementation for HTTP Basic authentication.
Read more >What's New in .NET 7 for Authentication and Authorization
Let's explore the new .NET 7 features for improving and simplifying authentication and authorization support in .NET applications.
Read more >Authentication — Ocelot 1.0.0 documentation
In order to authenticate Routes and subsequently use any of Ocelot's claims based features such as authorization or modifying the request with values...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We don’t have plans to design or build this functionality right now.
Hello, about this issue, I would like to add something: We want to make our app multi authority, so we need to change the authority dynamically (more or less is the same problem).
What do you think about create a new event to handle this? Something like ‘OnRequestAuthority’, and inside we could do “what we need”?
I think that this not break anything or generates big problems.
Regards.