[Bug] Middleware throws System.UnauthorizedAccessException, causes 500 error for users

[MattKotsenas]

Which version of Microsoft Identity Web are you using?
1.22.3 (but from code inspection will also repro on the latest version)

Where is the issue?

• Web app
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (validating tokens)
  • Protected web APIs (validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In-memory caches
  • Session caches
  • Distributed caches

Is this a new or an existing app?
This is an existing app that we're building; I haven't upgraded Microsoft Identity Web, but started seeing this issue.

Repro
There isn't an obvious code repro here, in our particular case we believe it was from trying to run our app without yet granting admin consent for the required roles.

Expected behavior
Like with other bad tokens or configuration issues (like a missing tid or tenantId claim) I would expect the middleware pipeline to return a 401 Unauthorized

Actual behavior
The JwtBearerHandler will throw an UnauthorizedAccessException that looks like this:

System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
  at Microsoft.Identity.Web.MicrosoftIdentityWebApiAuthenticationBuilderExtensions.<>c__DisplayClass3_1.<<AddMicrosoftIdentityWebApiImplementation>b__1>d.MoveNext()
  at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
  at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
  at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
  at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
  at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

which results in an unhandled exception in the auth middleware pipeline, which in turn results in a 500 error for the user.

Possible solution
A workaround for users hitting this issue today is to add the following into your IServiceCollection:

services.Configure<JwtBearerOptions>(scheme, options =>
{
    options.Events ??= new JwtBearerEvents();

    var tokenValidatedHandler = options.Events.OnTokenValidated;
    options.Events.OnTokenValidated = async context =>
    {
        try
        {
            await tokenValidatedHandler(context).ConfigureAwait(false);
        }
        catch (UnauthorizedAccessException e)
        {
            context.Fail(e);
        }
    };
});

This converts the unhandled exception into a handled auth failure that automatically does the appropriate Challenge response (at the expense of an exception throw / catch in a possible hot path).

Since other configuration issues (as mentioned in the "Expected Behavior" section) result in 401s, I would expect this issue to behave similarly.

I'll post a PR shortly with a proposed solution.

[jennyf19]

Included in 1.24.1