AuthorizationMessageHandler fails to set authenticationstate on error

[davhdavh]

Describe the bug

If _provider.RequestAccessToken is unable to provide a valid token, the IAccessTokenProvider API assumes that the RedirectUri is followed and the authentication flow reapplied. However, the AuthorizationMessageHandler class throws an exception because it cannot handle that flow.
It should however also inform IAccessTokenProvider that the current AuthenticationState is no longer valid.

Further technical details

.Net 6.0 preview 2

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[TanayParikh]

Hi @davhdavh. We made some changes in the RC2 .NET 6 release which may resolve this. Could you see if you're still encountering this issue with the Release/6.0.1XX-rc2 in https://github.com/dotnet/installer#installers-and-binaries.

If so, do you happen to have repro steps, or a basic repro repository I can try out?

However, the AuthorizationMessageHandler class throws an exception because it cannot handle that flow.

What's the exception?

[davhdavh]

Hi @TanayParikh
That change solves the reverse problem (That AuthorizationMessageHandler didnt know the token was invalidated), whereas this bug is that AuthorizationMessageHandler doesn't inform _provider that the token is invalid (when it throws AccessTokenNotAvailableException) and that _provider doesn't tell itself that the token is invalid if RequestAccessToken fails to return a valid token.
Like I was trying to say in #30929 it occurs when the token expired AND the token refresh time expired, because the AuthorizationMessageHandler is the only check that the token is still valid and that is only called when it is used and doesn't refresh based on the expiration datetime. For example, if someone left your site open overnight without doing anything.