Update the ASP.NET Core/OWIN hosts to support returning authentication properties for errored requests

sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs

@@ -201,7 +201,7 @@ await manager.CreateAsync(new OpenIddictApplicationDescriptor
                     ClientId = "mvc",
                     ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
                     ClientType = ClientTypes.Confidential,
-                    ConsentType = ConsentTypes.Explicit,
+                    ConsentType = ConsentTypes.Systematic,
                     DisplayName = "MVC client application",
                     RedirectUris =
                     {

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Worker.cs

@@ -152,7 +152,7 @@ await manager.CreateAsync(new OpenIddictApplicationDescriptor
                     ClientId = "mvc",
                     ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
                     ClientType = ClientTypes.Confidential,
-                    ConsentType = ConsentTypes.Explicit,
+                    ConsentType = ConsentTypes.Systematic,
                     DisplayName = "MVC client application",
                     DisplayNames =
                     {

src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs

@@ -156,17 +156,24 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.NoResult();
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;
 
             return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
         }
 
         else
+        {
+            var properties = CreateAuthenticationProperties();
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                context.MergedPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictClientAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties()
         {
             var properties = new AuthenticationProperties
             {
@@ -336,9 +343,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 properties.SetParameter(Properties.UserInfoTokenPrincipal, context.UserInfoTokenPrincipal);
             }
 
-            return AuthenticateResult.Success(new AuthenticationTicket(
-                context.MergedPrincipal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictClientAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
         }
     }
 

src/OpenIddict.Client.Owin/OpenIddictClientOwinHandler.cs

@@ -155,17 +155,22 @@ public override async Task<bool> InvokeAsync()
                 return null;
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;
 
-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
         }
 
         else
+        {
+            var properties = CreateAuthenticationProperties();
+
+            return new AuthenticationTicket(context.MergedPrincipal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties()
         {
             var properties = new AuthenticationProperties
             {
@@ -240,7 +245,7 @@ public override async Task<bool> InvokeAsync()
                 properties.Dictionary[Tokens.UserInfoToken] = context.UserInfoToken;
             }
 
-            return new AuthenticationTicket(context.MergedPrincipal?.Identity as ClaimsIdentity, properties);
+            return properties;
         }
     }
 

src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs

@@ -156,12 +156,10 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.NoResult();
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;
 
             return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
         }
@@ -199,6 +197,15 @@ OpenIddictServerEndpointType.Token when context.Request.IsRefreshTokenGrantType(
                 _ => null
             };
 
+            var properties = CreateAuthenticationProperties(principal);
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
             var properties = new AuthenticationProperties
             {
                 ExpiresUtc = principal?.GetExpirationDate(),
@@ -325,9 +332,7 @@ OpenIddictServerEndpointType.Token when context.Request.IsRefreshTokenGrantType(
                 properties.StoreTokens(tokens);
             }
 
-            return AuthenticateResult.Success(new AuthenticationTicket(
-                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictServerAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
         }
     }
 

src/OpenIddict.Server.Owin/OpenIddictServerOwinHandler.cs

@@ -151,14 +151,12 @@ public override async Task<bool> InvokeAsync()
                 return null;
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;
 
-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
         }
 
         else
@@ -191,6 +189,13 @@ OpenIddictServerEndpointType.Token when context.Request.IsRefreshTokenGrantType(
                 _ => null
             };
 
+            var properties = CreateAuthenticationProperties(principal);
+
+            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
             var properties = new AuthenticationProperties
             {
                 ExpiresUtc = principal?.GetExpirationDate(),
@@ -240,7 +245,7 @@ OpenIddictServerEndpointType.Token when context.Request.IsRefreshTokenGrantType(
                 properties.Dictionary[Tokens.UserCode] = context.UserCode;
             }
 
-            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity, properties);
+            return properties;
         }
     }
 

src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs

@@ -154,12 +154,10 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.NoResult();
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Items[Properties.Error] = context.Error;
+            properties.Items[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Items[Properties.ErrorUri] = context.ErrorUri;
 
             return AuthenticateResult.Fail(SR.GetResourceString(SR.ID0113), properties);
         }
@@ -177,6 +175,15 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 _ => null
             };
 
+            var properties = CreateAuthenticationProperties(principal);
+
+            return AuthenticateResult.Success(new AuthenticationTicket(
+                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
+                OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme));
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
             var properties = new AuthenticationProperties
             {
                 ExpiresUtc = principal?.GetExpirationDate(),
@@ -208,9 +215,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 properties.StoreTokens(tokens);
             }
 
-            return AuthenticateResult.Success(new AuthenticationTicket(
-                principal ?? new ClaimsPrincipal(new ClaimsIdentity()), properties,
-                OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme));
+            return properties;
         }
     }
 

src/OpenIddict.Validation.Owin/OpenIddictValidationOwinHandler.cs

@@ -150,14 +150,12 @@ public override async Task<bool> InvokeAsync()
                 return null;
             }
 
-            var properties = new AuthenticationProperties(new Dictionary<string, string?>
-            {
-                [Properties.Error] = context.Error,
-                [Properties.ErrorDescription] = context.ErrorDescription,
-                [Properties.ErrorUri] = context.ErrorUri
-            });
+            var properties = CreateAuthenticationProperties();
+            properties.Dictionary[Properties.Error] = context.Error;
+            properties.Dictionary[Properties.ErrorDescription] = context.ErrorDescription;
+            properties.Dictionary[Properties.ErrorUri] = context.ErrorUri;
 
-            return new AuthenticationTicket(null, properties);
+            return new AuthenticationTicket(new ClaimsIdentity(), properties);
         }
 
         else
@@ -170,6 +168,13 @@ public override async Task<bool> InvokeAsync()
                 _ => null
             };
 
+            var properties = CreateAuthenticationProperties(principal);
+
+            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity ?? new ClaimsIdentity(), properties);
+        }
+
+        AuthenticationProperties CreateAuthenticationProperties(ClaimsPrincipal? principal = null)
+        {
             var properties = new AuthenticationProperties
             {
                 ExpiresUtc = principal?.GetExpirationDate(),
@@ -184,7 +189,7 @@ public override async Task<bool> InvokeAsync()
                 properties.Dictionary[TokenTypeHints.AccessToken] = context.AccessToken;
             }
 
-            return new AuthenticationTicket(principal?.Identity as ClaimsIdentity, properties);
+            return properties;
         }
     }
 

test/OpenIddict.Server.AspNetCore.IntegrationTests/OpenIddictServerAspNetCoreIntegrationTests.cs

@@ -18,6 +18,7 @@
 using Xunit;
 using Xunit.Abstractions;
 using static OpenIddict.Server.OpenIddictServerEvents;
+using static OpenIddict.Server.OpenIddictServerHandlers;
 using static OpenIddict.Server.OpenIddictServerHandlers.Protection;
 
 #if SUPPORTS_JSON_NODES
@@ -134,6 +135,54 @@ public async Task ProcessAuthentication_ExpirationDateIsMappedToIssuedUtc()
         Assert.Equal(new DateTimeOffset(2120, 01, 01, 00, 00, 00, TimeSpan.Zero), properties.ExpiresUtc);
     }
 
+    [Fact]
+    public async Task ProcessAuthentication_CustomPropertiesAreAddedForErroredAuthenticationResults()
+    {
+        // Arrange
+        await using var server = await CreateServerAsync(options =>
+        {
+            options.EnableDegradedMode();
+            options.SetAuthorizationEndpointUris("/authenticate/properties");
+
+            options.UseAspNetCore()
+                   .EnableErrorPassthrough()
+                   .EnableAuthorizationEndpointPassthrough();
+
+            options.AddEventHandler<ProcessAuthenticationContext>(builder =>
+            {
+                builder.UseInlineHandler(context =>
+                {
+                    context.RejectIdentityToken = true;
+
+                    context.Properties["custom_property"] = "value";
+
+                    return default;
+                });
+
+                builder.SetOrder(EvaluateValidatedTokens.Descriptor.Order + 1);
+            });
+        });
+
+        await using var client = await server.CreateClientAsync();
+
+        // Act
+        var response = await client.PostAsync("/authenticate/properties", new OpenIddictRequest
+        {
+            ClientId = "Fabrikam",
+            IdTokenHint = "id_token_hint",
+            Nonce = "n-0S6_WzA2Mj",
+            RedirectUri = "http://www.fabrikam.com/path",
+            ResponseType = "id_token",
+            Scope = Scopes.OpenId
+        });
+
+        // Assert
+        var properties = new AuthenticationProperties(response.GetParameters()
+            .ToDictionary(parameter => parameter.Key, parameter => (string?) parameter.Value));
+
+        Assert.Equal("value", properties.Items["custom_property"]);
+    }
+
     [Fact]
     public async Task ProcessChallenge_ImportsAuthenticationProperties()
     {