Make it possible to extend/hook Security stamp validation to enable keeping current cookie claims when renewing cookie

[brockallen]

Vital claims that might only be captured at login time are lost when the security stamp is renewed. The implementation itself even has a comment to review this behavior:

var user = await _signInManager.ValidateSecurityStampAsync(context.Principal);
if (user != null)
{
    // REVIEW: note we lost login authenticaiton method
    context.ReplacePrincipal(await _signInManager.CreateUserPrincipalAsync(user));
    context.ShouldRenew = true;
}

I'd suggest simply using the current ticket's claims, but replacing the security stamp. If it's deemed that this is not to be changed/fixed, then perhaps add a flag to allow both behaviors?

This came up as part of using ASP.NET Identity within IdentityServer4: DuendeArchive/IdentityServer4#277

[HaoK]

Yeah the current behavior assumes the UserPrincipalFactory is the source of truth for creating a current up to date principal (we don't want to just refresh the old cookie in its entirety since this feature is about getting rid of any invalid claims to prevent unauthorized access). Can you just plug in your own derived factory to add the additional claims or are they stored anywhere other than the cookie?

[brockallen]

They're dynamic. I understand not wanting to keep the security stamp claim, but that's the only one you really need to replace (and that's easy to do).

Also this behavior of reloading only from the DB behavior will break OIDC federated sign-out behavior given the need to maintain the sid claim coming from an external provider (which is also dynamic): https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs#L123

[HaoK]

Not at all, this feature is about clearing out security related claims or any other things that might have changed in the user. I.e. some permission has been revoked, so the cookie must be regenerated as its no longer valid. The stamp claim is only used to trigger the forced refresh.

[HaoK]

We have no way to tell what's sensitive or not, hence the entire cookie needs to be regenerated (which is what the IUserClaimsPrincipalFactory's job is). Also this is the sign out everywhere feature for identity.

[brockallen]

The security stamp is only changed on these operations:

• create user
• set username
• remove login
• set/change email
• set/change phone
• set 2fa
• update password

it's not set when claims or roles change, so I'm not sure I agree with this:

this feature is about clearing out security related claims or any other things that might have changed in the user

so it really seems the security stamp feature is about when the user's credentials change, not when their data changes.

[HaoK]

Well the idea is when you want to sign out the user everywhere, you call the public method UpdateSecurityStamp on the UserManager.... So in any admin app which is doing the role changes, it almost certainly would call that method (i.e. almost every operation on a manage page should result in this being called).

The idea is any time any 'security' (intentionally vague as its app specific) related feature changes, this should be called. I agree that its not intended to be called if any user data changes, as something explicitly had to have triggered the stamp to change.

[brockallen]

Regardless of my use case, this still breaks federated sign-out with the OIDC middleware. Perhaps you and @Tratcher could discuss?

[brockallen]

Also, something to consider: Make it easier to extend the existing SecurityStampValidator. It looks like I can't derive from the existing, and instead have to replicate all of the same logic. Perhaps either some virtuals to break apart the check vs. the replacing the user. Or just move the logic of checking for enough elapsed time into an extension method. Or both.

[brockallen]

Wait, I just looked again at the implementation in SecurityStampValidator. If the validation is successful (meaning the security stamp has not changed), then the user is replaced. So a new cookie is issued even if nothing security related on the account has changed.

I now get the signout part, but why reissue/replace the claims? That's the "feature" I don't understand. Replacing the user seems to be additional behavior beyond the stated purpose of "when you want to sign out the user everywhere".

[HaoK]

Its been this way since we added this feature I think (2.0), unfortunately I don't exactly remember the reasoning anymore (regenerate vs reuse). @blowdart any recollection, basically the behavior we have is, we check every 30 minutes or so, when we check (we either reject the cookie (stamp doesn't match), or we regenerate an fresh principal for the user.

If I were to guess, this is safest, since if an app forgets to call UpdateSecurityStamp, they will still automatically get protected every 30 minutes or so if anything security critical was changed but the stamp wasn't explicitly invalidated. Flipping the stamp results in the user having to relog in, while a fresh identity shouldn't be lossy in theory...

[brockallen]

Turns out it's impossible to build a custom IUserClaimsPrincipalFactory that copies over the claims from the current logged in user, because it's called from within the authenticate phase of the cookie MW. IOW, the cookie mw calls security stamp validator, which calls user manager, which calls my IUserClaimsPrincipalFactory, which tries to call authenticate on the authentication manager, which tries to call into cookie MW. Deadlocks.

[HaoK]

You probably have to do it from within a custom security stamp validator, since that has access to both the old principal, and what's going to be the new principal.

[HaoK]

To be more precise, not necessarily a custom identity validator, but hook into the same cookie events the security stamp validator is

[brockallen]

Right. See my comments about about that.

[HaoK]

Sure, we can certainly revisit the validator to make it more reusable as that hasn't gotten any love since it was first written back in the katana days