Returning true from HandleUnauthorizedAsync doesn't prevent the other automatic handlers from being invoked

[kevinchalet]

When refactoring ASOS code, I discovered a weird bug in AuthenticationHandler that prevents HandleUnauthorizedAsync from working correctly. The following conditions must be met for this annoying bug to occur:

• The ASP.NET Core pipeline must contain at least 2 authentication middleware (e.g cookies + a custom middleware).
• The first authentication middleware must be configured with AutomaticChallenge = true. The challenge mode - automatic or manual - used for the second middleware is not important.
• The second authentication middleware must override HandleUnauthorizedAsync and must return true (which is supposed to prevent the prior handlers from being invoked).
• AuthenticationManager.ChallengeAsync must be called with the authentication scheme associed with the second middleware.

When all these conditions are met, returning true from HandleUnauthorizedAsync has no effect: the first automatic middleware is still ultimately called and overrides the challenge applied by the second one (which is the only one that should handle it).

This bug is likely caused by AuthenticationHandler.HandleAutomaticChallengeIfNeeded.

Unlike AuthenticationHandler.ChallengeAsync, this method - executed by all the authentication handlers in the pipeline when headers are sent - doesn't check whether the prior handler handled the challenge and blindly calls HandleUnauthorizedAsync.

private async Task HandleAutomaticChallengeIfNeeded()
{
    if (!ChallengeCalled && Options.AutomaticChallenge && Response.StatusCode == 401)
    {
        await HandleUnauthorizedAsync(new ChallengeContext(Options.AuthenticationScheme));
    }
}

Ironically, the JWT middleware is not impacted by this bug because it returns false to allow the other middleware to handle the challenge: the ChallengeAsync of all the prior handlers is called, which automatically sets ChallengeCalled. Since the authentication scheme doesn't correspond to the prior middleware, ChallengeAsync ignores the challenge and things work like they are supposed to.

/cc @HaoK @Tratcher

[HaoK]

Ick, I will take a look

[kevinchalet]

Okay, note for me: never say "ick"

[HaoK]

Lolz, I don't think it really has that meaning in general, don't trust urban dictonary always :)

[kevinchalet]

@HaoK haha, thanks! I removed the other definitions, they were horrible 😄

On a more serious note, I can't seem to reproduce this bug on Katana so not sure when it has regressed.

I guess one - hacky - way to solve this bug would be to store a marker in the HttpContextitems and check if it's there before calling HandleUnauthorizedAsync.

[HaoK]

I think the behavior was probably introduced as part of this PR, I'm still not entirely sure this behavior is bad or not, as Automatic challenge has a bit of a different semantic than Challenge("SomeType")...

#283

[kevinchalet]

I'm still not entirely sure this behavior is bad or not, as Automatic challenge has a bit of a different semantic than Challenge("SomeType")...

The problem is that calling Challenge("SomeType") invokes all the automatic handlers when HandleUnauthorizedAsync returns true. It seems wrong, IMO.

[HaoK]

So at the most basic level AutomaticChallenge = true means HandleUnauthorizedAsync is getting called for your auth handler, irrespective of what other handlers have done.

As a result the rule basically is whenever you are mixing JWT/cookies together, you need to turn off AutomaticChallenge, for exactly the reason you ran into...

cc @blowdart who I think ran into this issue early on as well.

[blowdart]

What Hao said :D

[kevinchalet]

As a result the rule basically is whenever you are mixing JWT/cookies together, you need to turn off AutomaticChallenge, for exactly the reason you ran into...

Isn't that what [Authorize(ActiveAuthenticationSchemes = "custom-scheme")] is all about? Picking a specific scheme to decide which middleware is allowed to be invoked?

[blowdart]

Kinda of, it allows you to pick what you see and, if it's not automatic, run it. But automatic means automatic, as in, run on every request,

[kevinchalet]

Thing is it worked fine with Katana, that had the same active/passive authentication mode concept 😅

Really feels like a regression for me.