Allow OWIN hosts and applications to register default ICookieManager instances

src/Microsoft.Owin.Host.SystemWeb/OwinAppContext.cs

@@ -59,6 +59,8 @@ internal void Initialize(Action<IAppBuilder> startup)
             builder.Properties[Constants.HostReferencedAssemblies] = new ReferencedAssembliesWrapper();
             builder.Properties[Constants.ServerCapabilitiesKey] = Capabilities;
             builder.Properties[Constants.SecurityDataProtectionProvider] = new MachineKeyDataProtectionProvider().ToOwinFunction();
+            builder.SetDefaultCookieManager(new SystemWebCookieManager());
+            builder.SetDefaultChunkingCookieManager(new SystemWebChunkingCookieManager());
             builder.SetLoggerFactory(new DiagnosticsLoggerFactory());
 
             Capabilities[Constants.SendFileVersionKey] = Constants.SendFileVersion;

src/Microsoft.Owin.Security.Cookies/CookieAuthenticationMiddleware.cs

@@ -27,6 +27,8 @@ public class CookieAuthenticationMiddleware : AuthenticationMiddleware<CookieAut
         public CookieAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, CookieAuthenticationOptions options)
             : base(next, options)
         {
+            Options.CookieManager ??= app.GetDefaultChunkingCookieManager();
+
             if (Options.Provider == null)
             {
                 Options.Provider = new CookieAuthenticationProvider();
@@ -46,10 +48,6 @@ public CookieAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app, Cook
 
                 Options.TicketDataFormat = new TicketDataFormat(dataProtector);
             }
-            if (Options.CookieManager == null)
-            {
-                Options.CookieManager = new ChunkingCookieManager();
-            }
         }
 
         /// <summary>

src/Microsoft.Owin.Security.Cookies/CookieAuthenticationOptions.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
 using Microsoft.Owin.Infrastructure;
+using Owin;
 
 namespace Microsoft.Owin.Security.Cookies
 {
@@ -142,9 +143,11 @@ public string CookieName
 
         /// <summary>
         /// The component used to get cookies from the request or set them on the response.
-        ///
-        /// ChunkingCookieManager will be used by default.
         /// </summary>
+        /// <remarks>
+        /// The instance returned by <see cref="AppBuilderCookieExtensions.GetDefaultChunkingCookieManager(IAppBuilder)"/>
+        /// is used by default if no value is explicitly set.
+        /// </remarks>
         public ICookieManager CookieManager { get; set; }
 
         /// <summary>

src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataProtection;
@@ -45,6 +46,8 @@ public FacebookAuthenticationMiddleware(
 
             _logger = app.CreateLogger<FacebookAuthenticationMiddleware>();
 
+            Options.CookieManager ??= app.GetDefaultCookieManager();
+
             if (Options.Provider == null)
             {
                 Options.Provider = new FacebookAuthenticationProvider();

src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationOptions.cs

@@ -31,7 +31,6 @@ public FacebookAuthenticationOptions()
             BackchannelTimeout = TimeSpan.FromSeconds(60);
             SendAppSecretProof = true;
             _fields = new HashSet<string>();
-            CookieManager = new CookieManager();
 
             AuthorizationEndpoint = Constants.AuthorizationEndpoint;
             TokenEndpoint = Constants.TokenEndpoint;

src/Microsoft.Owin.Security.Google/GoogleOAuth2AuthenticationMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataProtection;
@@ -47,6 +48,8 @@ public GoogleOAuth2AuthenticationMiddleware(
 
             _logger = app.CreateLogger<GoogleOAuth2AuthenticationMiddleware>();
 
+            Options.CookieManager ??= app.GetDefaultCookieManager();
+
             if (Options.Provider == null)
             {
                 Options.Provider = new GoogleOAuth2AuthenticationProvider();

src/Microsoft.Owin.Security.Google/GoogleOAuth2AuthenticationOptions.cs

@@ -29,7 +29,6 @@ public GoogleOAuth2AuthenticationOptions()
             AuthenticationMode = AuthenticationMode.Passive;
             Scope = new List<string>();
             BackchannelTimeout = TimeSpan.FromSeconds(60);
-            CookieManager = new CookieManager();
 
             AuthorizationEndpoint = Constants.AuthorizationEndpoint;
             TokenEndpoint = Constants.TokenEndpoint;

src/Microsoft.Owin.Security.MicrosoftAccount/MicrosoftAccountAuthenticationMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataProtection;
@@ -45,6 +46,8 @@ public MicrosoftAccountAuthenticationMiddleware(
 
             _logger = app.CreateLogger<MicrosoftAccountAuthenticationMiddleware>();
 
+            Options.CookieManager ??= app.GetDefaultCookieManager();
+
             if (Options.Provider == null)
             {
                 Options.Provider = new MicrosoftAccountAuthenticationProvider();

src/Microsoft.Owin.Security.MicrosoftAccount/MicrosoftAccountAuthenticationOptions.cs

@@ -26,7 +26,6 @@ public MicrosoftAccountAuthenticationOptions() : base(Constants.DefaultAuthentic
             AuthenticationMode = AuthenticationMode.Passive;
             Scope = new List<string>();
             BackchannelTimeout = TimeSpan.FromSeconds(60);
-            CookieManager = new CookieManager();
 
             AuthorizationEndpoint = Constants.AuthorizationEndpoint;
             TokenEndpoint = Constants.TokenEndpoint;

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs

@@ -6,6 +6,7 @@
 using System.Net.Http;
 using Microsoft.IdentityModel.Protocols;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataProtection;
@@ -38,6 +39,8 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
                 Options.TokenValidationParameters.AuthenticationType = app.GetDefaultSignInAsAuthenticationType();
             }
 
+            Options.CookieManager ??= app.GetDefaultCookieManager();
+
             if (Options.StateDataFormat == null)
             {
                 var dataProtector = app.CreateDataProtector(

src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs

@@ -70,7 +70,6 @@ public OpenIdConnectAuthenticationOptions(string authenticationType)
             RequireHttpsMetadata = true;
             TokenValidationParameters = new TokenValidationParameters();
             UseTokenLifetime = true;
-            CookieManager = new CookieManager();
             RedeemCode = false;
             UsePkce = true;
         }

src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.Net.Http;
+using Microsoft.Owin.Infrastructure;
 using Microsoft.Owin.Logging;
 using Microsoft.Owin.Security.DataHandler;
 using Microsoft.Owin.Security.DataHandler.Encoder;
@@ -48,6 +49,8 @@ public TwitterAuthenticationMiddleware(
                 throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Resources.Exception_OptionMustBeProvided, "ConsumerKey"));
             }
 
+            Options.CookieManager ??= app.GetDefaultCookieManager();
+
             if (Options.Provider == null)
             {
                 Options.Provider = new TwitterAuthenticationProvider();

src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationOptions.cs

@@ -26,7 +26,6 @@ public TwitterAuthenticationOptions()
             CallbackPath = new PathString("/signin-twitter");
             AuthenticationMode = AuthenticationMode.Passive;
             BackchannelTimeout = TimeSpan.FromSeconds(60);
-            CookieManager = new CookieManager();
         }
 
         /// <summary>

src/Microsoft.Owin/Extensions/AppBuilderCookieExtensions.cs

@@ -0,0 +1,118 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Owin.Infrastructure;
+using Owin;
+
+namespace Microsoft.Owin
+{
+    /// <summary>
+    /// Cookie-related extensions for <see cref="IAppBuilder"/>.
+    /// </summary>
+    public static class AppBuilderCookieExtensions
+    {
+        private const string CookieManagerProperty = "infrastructure.CookieManager";
+        private const string ChunkingCookieManagerProperty = "infrastructure.ChunkingCookieManager";
+
+        /// <summary>
+        /// Sets the default <see cref="ICookieManager"/> that will be used by
+        /// the OWIN middleware when no manager is explicitly set in their options.
+        /// </summary>
+        /// <remarks>
+        /// Depending on the host, a default <see cref="ICookieManager"/> instance
+        /// may already be registered in <see cref="IAppBuilder.Properties"/>
+        /// (e.g SystemWeb automatically registers a cookie manager that relies on
+        /// HttpCookieCollection instead of directly manipulating the HTTP headers).
+        /// </remarks>
+        /// <param name="app">The application builder.</param>
+        /// <param name="manager">The cookie manager.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="app"/> is <see langword="null"/>.</exception>
+        public static void SetDefaultCookieManager(this IAppBuilder app, ICookieManager manager)
+        {
+            if (app is null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            if (manager is null)
+            {
+                app.Properties.Remove(CookieManagerProperty);
+            }
+            else
+            {
+                app.Properties[CookieManagerProperty] = manager;
+            }
+        }
+
+        /// <summary>
+        /// Sets the default chunking <see cref="ICookieManager"/> that will be used
+        /// by the OWIN middleware when no manager is explicitly set in their options.
+        /// </summary>
+        /// <remarks>
+        /// Depending on the host, a default <see cref="ICookieManager"/> instance
+        /// may already be registered in <see cref="IAppBuilder.Properties"/>
+        /// (e.g SystemWeb automatically registers a cookie manager that relies on
+        /// HttpCookieCollection instead of directly manipulating the HTTP headers).
+        /// </remarks>
+        /// <param name="app">The application builder.</param>
+        /// <param name="manager">The cookie manager.</param>
+        /// <exception cref="ArgumentNullException"><paramref name="app"/> is <see langword="null"/>.</exception>
+        public static void SetDefaultChunkingCookieManager(this IAppBuilder app, ICookieManager manager)
+        {
+            if (app is null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            if (manager is null)
+            {
+                app.Properties.Remove(ChunkingCookieManagerProperty);
+            }
+            else
+            {
+                app.Properties[ChunkingCookieManagerProperty] = manager;
+            }
+        }
+
+        /// <summary>
+        /// Gets the default <see cref="ICookieManager"/> that will be used by
+        /// the OWIN middleware when no manager is explicitly set in their options.
+        /// </summary>
+        /// <param name="app">The application builder.</param>
+        /// <returns>
+        /// The cookie manager or a default <see cref="CookieManager"/> instance if no manager was registered.
+        /// </returns>
+        /// <exception cref="ArgumentNullException"><paramref name="app"/> is <see langword="null"/>.</exception>
+        public static ICookieManager GetDefaultCookieManager(this IAppBuilder app)
+        {
+            if (app is null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            return app.Properties.TryGetValue(CookieManagerProperty, out object value) &&
+                value is ICookieManager manager ? manager : new CookieManager();
+        }
+
+        /// <summary>
+        /// Gets the default chunking <see cref="ICookieManager"/> that will be used
+        /// by the OWIN middleware when no manager is explicitly set in their options.
+        /// </summary>
+        /// <param name="app">The application builder.</param>
+        /// <returns>
+        /// The cookie manager or a default <see cref="ChunkingCookieManager"/> instance if no manager was registered.
+        /// </returns>
+        /// <exception cref="ArgumentNullException"><paramref name="app"/> is <see langword="null"/>.</exception>
+        public static ICookieManager GetDefaultChunkingCookieManager(this IAppBuilder app)
+        {
+            if (app is null)
+            {
+                throw new ArgumentNullException(nameof(app));
+            }
+
+            return app.Properties.TryGetValue(ChunkingCookieManagerProperty, out object value) &&
+                value is ICookieManager manager ? manager : new ChunkingCookieManager();
+        }
+    }
+}