As mentioned before – the ASP.NET templates never really tried to make to you help understand the security features. Instead they crammed ever single feature into a single “sample app” making it really hard to figure out who does what (ASP.NET identity vs middleware vs external authentication vs cookie etc).
This created a lot of confusion – and whenever we taught Katana or ASP.NET 5 security, people had this “wow” effect when theyfinally see the bits and pieces untangled.
That’s why I published my alternative templates that focus on a single security feature at a time on github (work in progress – feel free to send me PRs)
External Authentication (e.g. Google)
HTH
leastprivilege.com 
Thanks for the examples!
In the external oauth (callback) example. Why is the 2nd cookie middleware needed? What would happen in you just used the one, and in your callback called AuthenticateAsync() on it, did what was needed, called SignOutAsync, and finally SignInAsync with the new/modified ClaimsPrincipal.
I assume this wouldn’t work based on your example but I don’t know why. Could you please explain the problem with that?
Because then you could not distinguish between an external (not yet fully signed in) user and a signed-in user.
Gotcha, makes sense. Thank you!
Hi,
All 3 links are broken.
Mfg
https://github.com/leastprivilege/AspNetCoreSecuritySamples
Thanks!