Warn that TokenValidated is not the last step of validation (#32299)

Tratcher · web-flow · commit bf6c1c4811e9 · 2021-05-07T15:57:15.000-07:00
diff --git a/src/Security/Authentication/OpenIdConnect/src/Events/OpenIdConnectEvents.cs b/src/Security/Authentication/OpenIdConnect/src/Events/OpenIdConnectEvents.cs
@@ -54,7 +54,8 @@ public class OpenIdConnectEvents : RemoteAuthenticationEvents
         public Func<TokenResponseReceivedContext, Task> OnTokenResponseReceived { get; set; } = context => Task.CompletedTask;
 
         /// <summary>
-        /// Invoked when an IdToken has been validated and produced an AuthenticationTicket.
+        /// Invoked when an IdToken has been validated and produced an AuthenticationTicket. Note there are additional checks after this
+        /// event that validate other aspects of the authentication flow like the nonce.
         /// </summary>
         public Func<TokenValidatedContext, Task> OnTokenValidated { get; set; } = context => Task.CompletedTask;
 
@@ -106,7 +107,8 @@ public class OpenIdConnectEvents : RemoteAuthenticationEvents
         public virtual Task TokenResponseReceived(TokenResponseReceivedContext context) => OnTokenResponseReceived(context);
 
         /// <summary>
-        /// Invoked when an IdToken has been validated and produced an AuthenticationTicket.
+        /// Invoked when an IdToken has been validated and produced an AuthenticationTicket. Note there are additional checks after this
+        /// event that validate other aspects of the authentication flow like the nonce.
         /// </summary>
         public virtual Task TokenValidated(TokenValidatedContext context) => OnTokenValidated(context);
 
