check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync

src/IdentityServer/Services/Default/DefaultUserSession.cs

@@ -141,7 +141,7 @@ protected virtual async Task AuthenticateAsync()
             }
 
             var result = await handler.AuthenticateAsync();
-            if (result != null && result.Succeeded)
+            if (result != null && result.Succeeded && result.Principal.Identity.IsAuthenticated)
             {
                 Principal = result.Principal;
                 Properties = result.Properties;

test/IdentityServer.UnitTests/Services/Default/DefaultUserSessionTests.cs

@@ -202,13 +202,23 @@ public async Task adding_client_should_set_item_in_cookie_properties()
     }
 
     [Fact]
-    public async Task when_authenticated_GetIdentityServerUserAsync_should_should_return_authenticated_user()
+    public async Task when_handler_successful_GetIdentityServerUserAsync_should_should_return_authenticated_user()
     {
         _mockAuthenticationHandler.Result = AuthenticateResult.Success(new AuthenticationTicket(_user, _props, "scheme"));
 
         var user = await _subject.GetUserAsync();
         user.GetSubjectId().Should().Be("123");
     }
+
+    [Fact]
+    public async Task when_handler_successful_and_identity_is_anonymous_GetIdentityServerUserAsync_should_should_return_null()
+    {
+        var cp = new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim("xoxo", "1") }));
+        _mockAuthenticationHandler.Result = AuthenticateResult.Success(new AuthenticationTicket(cp, _props, "scheme"));
+
+        var user = await _subject.GetUserAsync();
+        user.Should().BeNull();
+    }
 
     [Fact]
     public async Task when_anonymous_GetIdentityServerUserAsync_should_should_return_null()