Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Catering for IPrincipal implementations rather than just ClaimsPrincipal on single logout requests #1472

Open
Infarinato opened this issue Oct 8, 2024 · 5 comments
Open

Catering for IPrincipal implementations rather than just ClaimsPrincipal on single logout requests #1472

Infarinato opened this issue Oct 8, 2024 · 5 comments
Labels
enhancement triage

Comments

@Infarinato
Copy link

In many (sophisticated) authentication frameworks like, e.g., Sitecore federated authentication, the User class is an implementation of the IPrincipal interface, not merely an instance of ClaimsPrincipal.

Now, because of the way OwinContextExtensions.ToHttpRequestData is implemented (in v2, at least, where context.Request.User is assumed to be an instance of ClaimsPrincipal), single logout fails miserably in any such frameworks. 😕

The proper fix would be for HttpRequestData.HttpRequestData to be rewritten to accept an IPrincipal rather than a ClaimsPrincipal parameter, but of course that would be a rather big job, which understandably you might not want to consider for v2 (…moreover —I honestly haven’t checked— this might be totally irrelevant for v3). Yet, it’s a pity that such frameworks cannot take advantage of this nice library solely because there is no way of getting single logout to work.

As it would appear that the value of context.Request.User is really only read in the LogoutCommand class, then a quick “tactical” fix would be to fall back to ClaimsPrincipal.Current whenever context.Request.User cannot be cast to a non-null ClaimsPrincipal, as in this commit.
@AndersAbel
Copy link
Member

I'm a bit surprised by this as the .NET Framework has changed all existing implementations of IPrincipal to derive from ClaimsPrincipal. What is the actual type of the IPrincipal in the Sitecore setup?

@Infarinato
Copy link
Author

What is the actual type of the IPrincipal in the Sitecore setup?

System.Security.Principal.IPrincipal, as far as I can tell, @AndersAbel

@AndersAbel
Copy link
Member

There must be an actual implementation type. Try calling GetType() on an actual object instance.

@AndersAbel AndersAbel reopened this Nov 27, 2024
@Infarinato
Copy link
Author

Sorry, I’m not quite sure what you mean, @AndersAbel… 🤔

Sitecore.Security.Accounts.User inherits from its (custom) Sitecore.Security.Accounts.Account and from (standard) System.Security.Principal.IPrincipal.

So, Sitecore.Security.Accounts.User (which is what Sitecore feeds to Microsoft.Owin.IOwinRequest.User) is an implementation of System.Security.Principal.IPrincipal just like System.Security.Claims.ClaimsPrincipal, but is not the same as System.Security.Claims.ClaimsPrincipal.

Therefore, if your code tries to cast Microsoft.Owin.IOwinRequest.User (which is only required to be a System.Security.Principal.IPrincipal) as System.Security.Claims.ClaimsPrincipal within Sitecore, it will understandably get null in return. 😉

@brockallen
Copy link
Contributor

IIRC, non-ClaimsPrincipal/ClaimsIdentity types were unofficially no longer supported by .NET [Core].

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Infarinato @brockallen @AndersAbel