React to MapIdentityApi HTTP endpoints API review feedback (#50067)

Author: halter73

src/Identity/Core/src/IdentityApiEndpointRouteBuilderExtensions.cs

@@ -90,12 +90,13 @@ public static IEndpointConventionBuilder MapIdentityApi<TUser>(this IEndpointRou
         });
 
         routeGroup.MapPost("/login", async Task<Results<Ok<AccessTokenResponse>, EmptyHttpResult, ProblemHttpResult>>
-            ([FromBody] LoginRequest login, [FromQuery] bool? cookieMode, [FromQuery] bool? persistCookies, [FromServices] IServiceProvider sp) =>
+            ([FromBody] LoginRequest login, [FromQuery] bool? useCookies, [FromQuery] bool? useSessionCookies, [FromServices] IServiceProvider sp) =>
         {
             var signInManager = sp.GetRequiredService<SignInManager<TUser>>();
 
-            signInManager.PrimaryAuthenticationScheme = cookieMode == true ? IdentityConstants.ApplicationScheme : IdentityConstants.BearerScheme;
-            var isPersistent = persistCookies ?? true;
+            var useCookieScheme = (useCookies == true) || (useSessionCookies == true);
+            var isPersistent = (useCookies == true) && (useSessionCookies != true);
+            signInManager.PrimaryAuthenticationScheme = useCookieScheme ? IdentityConstants.ApplicationScheme : IdentityConstants.BearerScheme;
 
             var result = await signInManager.PasswordSignInAsync(login.Email, login.Password, isPersistent, lockoutOnFailure: true);
 
@@ -258,7 +259,7 @@ await emailSender.SendEmailAsync(resetRequest.Email, "Reset your password",
             return TypedResults.Ok();
         });
 
-        var accountGroup = routeGroup.MapGroup("/account").RequireAuthorization();
+        var accountGroup = routeGroup.MapGroup("/manage").RequireAuthorization();
 
         accountGroup.MapPost("/2fa", async Task<Results<Ok<TwoFactorResponse>, ValidationProblem, NotFound>>
             (ClaimsPrincipal claimsPrincipal, [FromBody] TwoFactorRequest tfaRequest, [FromServices] IServiceProvider sp) =>

src/Identity/test/Identity.FunctionalTests/MapIdentityApiTests.cs

@@ -0,0 +1,17 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Authentication.BearerToken.DTO;
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.Authentication.BearerToken;
+
+internal sealed class BearerTokenConfigureJsonOptions : IConfigureOptions<JsonOptions>
+{
+    public void Configure(JsonOptions options)
+    {
+        // Put our resolver in front of the reflection-based one. See ProblemDetailsOptionsSetup for a detailed explanation.
+        options.SerializerOptions.TypeInfoResolverChain.Insert(0, BearerTokenJsonSerializerContext.Default);
+    }
+}

src/Security/Authentication/BearerToken/src/BearerTokenConfigureJsonOptions.cs

@@ -3,6 +3,7 @@
 
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.AspNetCore.Http.Json;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 
@@ -64,6 +65,7 @@ public static AuthenticationBuilder AddBearerToken(this AuthenticationBuilder bu
         ArgumentNullException.ThrowIfNull(authenticationScheme);
         ArgumentNullException.ThrowIfNull(configure);
 
+        builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<JsonOptions>, BearerTokenConfigureJsonOptions>());
         builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<IConfigureOptions<BearerTokenOptions>, BearerTokenConfigureOptions>());
         return builder.AddScheme<BearerTokenOptions, BearerTokenHandler>(authenticationScheme, configure);
     }

src/Security/Authentication/BearerToken/src/BearerTokenExtensions.cs

@@ -3,8 +3,11 @@
 
 using System.Security.Claims;
 using System.Text.Encodings.Web;
+using System.Text.Json.Serialization.Metadata;
 using Microsoft.AspNetCore.Authentication.BearerToken.DTO;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Net.Http.Headers;
@@ -69,13 +72,21 @@ protected override async Task HandleSignInAsync(ClaimsPrincipal user, Authentica
         var response = new AccessTokenResponse
         {
             AccessToken = Options.BearerTokenProtector.Protect(CreateBearerTicket(user, properties)),
-            ExpiresInSeconds = (long)Options.BearerTokenExpiration.TotalSeconds,
+            ExpiresIn = (long)Options.BearerTokenExpiration.TotalSeconds,
             RefreshToken = Options.RefreshTokenProtector.Protect(CreateRefreshTicket(user, utcNow)),
         };
 
         Logger.AuthenticationSchemeSignedIn(Scheme.Name);
 
-        await Context.Response.WriteAsJsonAsync(response, BearerTokenJsonSerializerContext.Default.AccessTokenResponse);
+        await Context.Response.WriteAsJsonAsync(response, ResolveAccessTokenJsonTypeInfo(Context));
+    }
+
+    private static JsonTypeInfo<AccessTokenResponse> ResolveAccessTokenJsonTypeInfo(HttpContext httpContext)
+    {
+        // Attempt to resolve options from DI then fall back to static options
+        var typeInfo = httpContext.RequestServices.GetService<IOptions<JsonOptions>>()
+            ?.Value?.SerializerOptions?.GetTypeInfo(typeof(AccessTokenResponse)) as JsonTypeInfo<AccessTokenResponse>;
+        return typeInfo ?? BearerTokenJsonSerializerContext.Default.AccessTokenResponse;
     }
 
     // No-op to avoid interfering with any mass sign-out logic.

src/Security/Authentication/BearerToken/src/BearerTokenHandler.cs

@@ -1,7 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System.Text.Json.Serialization;
+using System.Text.Json;
 
 namespace Microsoft.AspNetCore.Authentication.BearerToken.DTO;
 
@@ -15,35 +15,31 @@ internal sealed class AccessTokenResponse
     /// in the form of an opaque <see cref="AccessToken"/>.
     /// </summary>
     /// <remarks>
-    /// This is serialized as "token_type": "Bearer" using System.Text.Json.
+    /// This is serialized as "tokenType": "Bearer" using <see cref="JsonSerializerDefaults.Web"/>.
     /// </remarks>
-    [JsonPropertyName("token_type")]
     public string TokenType { get; } = "Bearer";
 
     /// <summary>
     /// The opaque bearer token to send as part of the Authorization request header.
     /// </summary>
     /// <remarks>
-    /// This is serialized as "access_token": "{AccessToken}" using System.Text.Json.
+    /// This is serialized as "accessToken": "{AccessToken}" using <see cref="JsonSerializerDefaults.Web"/>.
     /// </remarks>
-    [JsonPropertyName("access_token")]
     public required string AccessToken { get; init; }
 
     /// <summary>
     /// The number of seconds before the <see cref="AccessToken"/> expires.
     /// </summary>
     /// <remarks>
-    /// This is serialized as "expires_in": "{ExpiresInSeconds}" using System.Text.Json.
+    /// This is serialized as "expiresIn": "{ExpiresInSeconds}" using <see cref="JsonSerializerDefaults.Web"/>.
     /// </remarks>
-    [JsonPropertyName("expires_in")]
-    public required long ExpiresInSeconds { get; init; }
+    public required long ExpiresIn { get; init; }
 
     /// <summary>
     /// If set, this provides the ability to get a new access_token after it expires using a refresh endpoint.
     /// </summary>
     /// <remarks>
-    /// This is serialized as "refresh_token": "{RefreshToken}" using System.Text.Json.
+    /// This is serialized as "refreshToken": "{RefreshToken}" using using <see cref="JsonSerializerDefaults.Web"/>.
     /// </remarks>
-    [JsonPropertyName("refresh_token")]
     public required string RefreshToken { get; init; }
 }