Large BankIdUiSignState cookie

[Liteolika]

When the BankIdSignProperties contains large byte-arrays for UserVisibleData and UserNonVisibleData there is a chance that the properties are not persisted in the BankID UI state cookie.

What area is it related to
ActiveLogin.Authentication.BankId.AspNetCore.Sign.BankIdSignService

Describe the solution you'd like
Better documentation for the properties in BankIdSignProperties, that the size of the byte-arrays matters.
A validation of the cookie value before appending it to the response.

Additional context
Using theese props will fail the sign-request:

var props = new BankIdSignProperties(userVisibleContent)
{
    Items =
    {
        {"scheme", provider}
    },
    UserVisibleDataFormat = BankIdUserVisibleDataFormats.SimpleMarkdownV1,
    UserNonVisibleData = Encoding.UTF8.GetBytes(GenerateString(30000))
};

While the props with a hash works just fine:

var props = new BankIdSignProperties(userVisibleContent)
{
    Items =
    {
        {"scheme", provider}
    },
    UserVisibleDataFormat = BankIdUserVisibleDataFormats.SimpleMarkdownV1,
    UserNonVisibleData = BitConverter.GetBytes(GenerateString(30000).GetHashCode())
};

This is related to issue #425

[Zonnex]

Our thoughts so far:

We reached out to BankID and got a kind of vague confirmation that UserNonVisibleData doesn’t have a size limit. So, we can't rely on it all fitting in a cookie, plus it's not great for performance. So we should avoid saving it all in a cookie. I had a thought that perhaps we should hash UserNonVisibleData to ensure it fits in the cookie, but it's probably better for everyone that we don't touch that. Perhaps we should allow the implementers of ActiveLogin to provide an implementation for how to temporarily persist the state. To keep things fairly stateless, we should save a key to the state in the cookie instead.

We'll define an interface for interacting with the storage, and to allow for a smooth upgrade we will by default use an implementation that saves the state in-memory.

To provide an implementation, the implementer can choose either to these:

services.AddSingleton<IStateStorage, MyStateStorage>();

services
    .AddAuthentication()
    .AddBankIdSign(bankId =>
    {
        bankId.UseStateStorage<MyStateStorage>();
        // or
        bankId.UseStateStorage(new MyStateStorage());
    });

We believe this can be used for some other features as well, so we'll keep things 'generic'.