Use existing principal for single scheme (#37135)

Author: HaoK

src/Security/Authorization/test/PolicyEvaluatorTests.cs

@@ -51,6 +51,26 @@ public async Task AuthenticateMergeSchemes()
             Assert.Equal(3, result.Principal.Identities.Count());
         }
 
+        [Fact]
+        public async Task AuthenticateMergeSchemesPreservesSingleScheme()
+        {
+            // Arrange
+            var evaluator = BuildEvaluator();
+            var context = new DefaultHttpContext();
+            var auth = new EchoAuthentication();
+            var services = new ServiceCollection().AddSingleton<IAuthenticationService>(auth);
+            context.RequestServices = services.BuildServiceProvider();
+            var policy = new AuthorizationPolicyBuilder().AddAuthenticationSchemes("A").RequireAssertion(_ => true).Build();
+
+            // Act
+            var result = await evaluator.AuthenticateAsync(policy, context);
+
+            // Assert
+            Assert.True(result.Succeeded);
+            Assert.Single(result.Principal.Identities);
+            Assert.Equal(auth.Principal, result.Principal);
+        }
+
 
         [Fact]
         public async Task AuthorizeSucceedsEvenIfAuthenticationFails()
@@ -174,57 +194,42 @@ public Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object res
         public class SadAuthentication : IAuthenticationService
         {
             public Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme)
-            {
-                return Task.FromResult(AuthenticateResult.Fail("Sad."));
-            }
+                => Task.FromResult(AuthenticateResult.Fail("Sad."));
 
             public Task ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
 
             public Task ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
 
             public Task SignInAsync(HttpContext context, string scheme, ClaimsPrincipal principal, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                    => throw new NotImplementedException();
 
             public Task SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                    => throw new NotImplementedException();
         }
 
         public class EchoAuthentication : IAuthenticationService
         {
+            public ClaimsPrincipal Principal;
+
             public Task<AuthenticateResult> AuthenticateAsync(HttpContext context, string scheme)
             {
-                return Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(new ClaimsPrincipal(new ClaimsIdentity(scheme)), scheme)));
+                Principal = new ClaimsPrincipal(new ClaimsIdentity(scheme));
+                return Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(Principal, scheme)));
             }
 
             public Task ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
 
             public Task ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
 
             public Task SignInAsync(HttpContext context, string scheme, ClaimsPrincipal principal, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
 
             public Task SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties)
-            {
-                throw new System.NotImplementedException();
-            }
+                => throw new NotImplementedException();
         }
 
         private class DummyRequirement : IAuthorizationRequirement {}

src/Shared/SecurityHelper/SecurityHelper.cs

@@ -22,6 +22,12 @@ internal static class SecurityHelper
         /// <param name="additionalPrincipal">The <see cref="ClaimsPrincipal"/> containing <see cref="ClaimsIdentity"/> to be added.</param>
         public static ClaimsPrincipal MergeUserPrincipal(ClaimsPrincipal? existingPrincipal, ClaimsPrincipal? additionalPrincipal)
         {
+            // For the first principal, just use the new principal rather than copying it
+            if (existingPrincipal == null && additionalPrincipal != null)
+            {
+                return additionalPrincipal;
+            }
+
             var newPrincipal = new ClaimsPrincipal();
 
             // New principal identities go first