Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.
You are affected if…
- you build a
HttpRequestDatayourself, instead of using a build inToHttpRequestData()extension method. - you are using Single Logout and…
- you have a
ClaimsAuthenticationManager - you manually create a
AuthServicesClaimTypes.LogoutNameIdentifierclaim - you filter out claims that are persisted
- you have a
Most users should not be affected, but if you match any of the above please read on.
HttpRequestData now contains User
The logout implementation in LogoutCommand needs to access the current user. It used to do that by access ClaimsPrincipal.Current. When working on the upcoming ASP.NET Core middleware we found out that ClaimsPrincipal.Current is not set in that environment. It is also an issue for anyone having a custom session handling that want to integrate with the low level API and call the command classes directly.
The existing extension methods ToHttpRequestData() have been updated to include the user. It is only if those are not used, or if a non standard session storage is used that this affects you.
Logout Name Identifier Handling
SAML2 is different to other federation protocols in that it includes the identity and session id of the logged in user session in the logout messages. This means that AuthServices needs to preserve the original name identifer, including some optional properties, and the session id. AuthServices used to do that by relying on the ClaimTypes.NameIdentifier claim with AuthServicesClaimTypes.NameIdentifier as a fallback if the original Name Identifier cannot be used in the application. From this release this has been changed and the ClaimTypes.NameIdentifier claim is now mandatory.
Using a ClaimsAuthenticationManager
If you have a ClaimsAuthenticationManager and are using single logout, you have to make sure that the AuthServicesClaimTypes.NameIdentifier and AuthServicesClaimTypes.SessionIndex is included in the returned identity.
Creating an AuthServicesClaimTypes.LogoutNameIdentifier
If you previously created an AuthServicesClaimTypes.LogoutNameIdentifier by copying the ClaimTypes.NameIdentifier claim you have to remove it. The AuthServicesClaimTypes.LogoutNameIdentifier now has a more complex format that you shouldn’t try to create yourself. Carry the one included in the original identity forward instead.