Replace configure method on TwitterOptions and OpenIdConnectOptions with CookieBuilder

[natemcmaster]

Addresses aspnet/HttpAbstractions#853.

Uses the new CookieBuilder API added here: aspnet/HttpAbstractions#882

Part 1- look for a separate PR to remove duplication from CookieAuthenticationOptions.

[dnfclas]

@natemcmaster,
Thanks for having already signed the Contribution License Agreement. Your agreement was validated by .NET Foundation. We will now review your pull request.
Thanks,
.NET Foundation Pull Request Bot

[HaoK]

Maybe just do this instead? cookieOptions.Path = cookieOptions.Path ?? OriginalPathBase + Options.CallbackPath;

There's also a subtle bug here, since even if Path == null, the Builder could set the cookie.Path, which would get blasted away

[natemcmaster]

Yes, that's why this deliberately checks if (Options.NonceCookie.Path == null) first.

[HaoK]

Yeah so what if they have CustomCookieBuilder which sets cookieOptions.Path = "/mypath" in Build(), this code will still stomp on the path. The check should be checking the real cookieOptions.Path, not the builder property

[natemcmaster]

Hmm. This is problematic. The default ctor for CookieOptions always sets Path to "/". If someone implements a custom cookie builder, it will be hard for us to detect if they indend to overwrite the default value or not.

var builder = new CookieBuilder();
  // builder.Path= null
var options = builder.Build(context)
  // options.Path= "/"

 // builder.Path== null means we can assume the user does not indent to change 
 // the default path, therefore we set it to OriginalPathBase + Options.CallbackPath

var builder = new MyCustomCookieBuilder();
  // builder.Path= null
var options = builder.Build(context)
  // options.Path= "/mypath"

  // builder.Path== null means ????

[HaoK]

Just check for options.Path == "/" and builder.Path== null?

[HaoK]

We are talking about Path not name right?

[HaoK]

Or we can just check for options.Path == "/" since we can't really assume anything based on the property alone.

if (cookieOptions.Path == "/") {
    cookieOptions.Path = OriginalPathBase + Options.CallbackPath;
}

[natemcmaster]

I figured out a way to do that. I override the build method to detect the value of Path before. Should allow user to override.

[Tratcher]

This isn't honoring the Expiration from CookieBuilder. Only set it if not null?

Any way to resolve Options.ProtocolValidator.NonceLifetime in the builder? Then you could incorporate it in a way that could be overridden.

[HaoK]

Yup, just add a Property in a OpenIdConnectCookieBuilder for it

[natemcmaster]

Updated

[Tratcher]

Yeah, this gets simpler if we prevent Name from being null.

[natemcmaster]

Updated.

[Tratcher]

Add support for the correlation cookie, or file a followup bug since this isn't currently configurable.

Security/src/Microsoft.AspNetCore.Authentication/RemoteAuthenticationHandler.cs

Line 190 in ff9f145

var cookieOptions = new CookieOptions

[HaoK]

Should just make the change in this PR for correlation cookie

[natemcmaster]

Rebased and added the correlation cookie change to this PR.

[HaoK]

Should we consider having the handlers set a OriginalPathBase property on the CookieBuilder instead of having the builder pull it from the context?

[HaoK]

Commenting again in the right version: Should we make this a property on RequestPathBaseCookieBuilder that the handlers set instead of making the builder pull it out?

[natemcmaster]

Possibly racy. The builder is shared across multiple contexts.

[natemcmaster]

🔔

[HaoK]

Shouldn't this be something like Options.CorrelationCookie.Name now?

[natemcmaster]

Yup. Updated.

[Tratcher]

I'm trying to think if a user would Build their options any differently if they knew they were building a delete cookie.