Description
Summary:
In 1.0.0 we fixed an infinite redirect issue with all remote authentication middleware (Google/Facebook/OIDC, etc) by changing the behavior of Authenticate for these middleware to forward to the auth middleware specified in SignInScheme (typically a cookie middleware). This caused a regression in identity/template challenge scenarios whenever an external cookie already exists from a previous login attempt (for example, when a user starts an external login flow and then cancels, clicks back, or some error happens).
The root cause is related to how Challenge behavior changes based on whether Authenticate returns something. If it does, Challenge becomes a Forbidden, otherwise it becomes an Unauthorized (see https://github.com/aspnet/Security/blob/d291bb7c249ae989ea848c8ff378186ae42606d1/src/Microsoft.AspNetCore.Authentication/AuthenticationHandler.cs#L338).
Previously, the presence of an old external cookie would not affect the flow, but now the external cookie will block logins and result in Forbidden/Access Denied responses.
As a result, the external cookie needs to be cleared at the start of the login flow.
Related issues:
Infinite redirect issues:
aspnet/Security#667
aspnet/Security#801
Resulting external login flow issue:
aspnet/Identity#915
Template fix:
aspnet/Templates@306fbc6