Returning 401 and JSON

[bragma]

Hi,
I'm using UseJwtBearerAuthentication. On a failed authentication (ex: expired token), the middleware throws and exception causing the server to return 500. I'd like instead to return 401 and a JSON explaining the problem.
I'm not sure I've understood the "OnAuthenticationFailed" event, but I've not been able to do anything from there. So, I've resolved to "UseExceptionHandler" and I've been able to intercept Security related Exceptions, but I am not sure on how to allow other exception types to be handled by the default error handler, such as "UseDeveloperExceptionPage".

My setup is:

app.UseExceptionHandler(appBuilder =>
{
    appBuilder.Use(async (context, next) =>
    {
        var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;

        if (error != null && error.Error is SecurityTokenExpiredException)
        {
            // Send expired response
        }
        else if (error != null && error.Error is SecurityTokenInvalidSignatureException)
        {
            // Send bad signature response
        }
        else if (error != null && error.Error != null)
        {
            // Another exception type. How to let it pass through so it's caught by UseDeveloperExceptionPage?
        }
        else
        {
            await next();
        }
    });
});

Is this the suggested way of handling Security exceptions?
Thanks!

[Tratcher]

OnAuthenticationFailed is the right place for this. You should be able to write your own response and call context.HandleResponse() to keep the exception from being re-thrown.

[bragma]

@Tratcher thanks for the answer, is there any example or can you please provide one? I've tried with this but it does not work:

                    OnAuthenticationFailed = context =>
                    {
                        // Authentication failed
                        context.Response.StatusCode = 401;
                        context.HandleResponse();

                        return Task.FromResult(0);
                    }

[bragma]

I've checked the code, the magic seems to happen here:

Security/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerHandler.cs

Line 168 in 297c72a

if (authenticationFailedContext.HandledResponse)

If I call "HandleResponse", the code calls Success and fails with another exception because Token is not set. What's weird is that even "SkipToNextMiddleware" somehow goes down a similar path and complains because Token is not set. In both cases, another exception is thrown (and I don't get my 401).

[gzak]

We ran into exactly the same issue, our workaround was to set a fake ticket on the context within the OnAuthenticationFailed handler.

[bragma]

@gzak Thanks, I'll try the same. Is the actual ticket returned or thrown away (I don't want it to reach the client)? Also did you "HandleResponse" or "SkipToNextMiddleware"?

[gzak]

Judging by the code in AuthenticationHandler.cs, I believe the ticket gets thrown away and the client gets a 403.

We are calling HandleResponse(), although looking through that code it doesn't appear to be necessary to do so. But we'll leave it in since it doesn't hurt anything now and presumably it will be needed instead of the fake ticket once this issue is resolved.

[akamud]

We're trying to force a 401 with this but we still get a 500:

OnAuthenticationFailed = context =>
{
    context.Response.StatusCode = StatusCodes.Status401Unauthorized;
    context.AuthenticationTicket = new Microsoft.AspNet.Authentication.AuthenticationTicket(new ClaimsPrincipal(), new Microsoft.AspNet.Http.Authentication.AuthenticationProperties(), string.Empty);
    context.HandleResponse();

    return Task.FromResult(0);
}

Here is the stack trace:

An unhandled exception has occurred while executing the request
      System.InvalidOperationException: No authentication handler is configured to handle the scheme: Automatic
         at Microsoft.AspNet.Http.Authentication.Internal.DefaultAuthenticationManager.<ChallengeAsync>d__12.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Mvc.ChallengeResult.<ExecuteResultAsync>d__14.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Mvc.Controllers.FilterActionInvoker.<InvokeResultAsync>d__56.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Mvc.Controllers.FilterActionInvoker.<InvokeAsync>d__44.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Mvc.Infrastructure.MvcRouteHandler.<RouteAsync>d__6.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Mvc.Routing.InnerAttributeRoute.<RouteAsync>d__10.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Routing.RouteCollection.<RouteAsync>d__9.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at Microsoft.AspNet.Authentication.AuthenticationMiddleware`1.<Invoke>d__18.MoveNext()
      --- End of stack trace from previous location where exception was thrown ---
         at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
         at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
         at Microsoft.AspNet.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__7.MoveNext()

[Tratcher]

@akamud your code and that error are unrelated. The error shows MVC trying to issue the initial challenge but none of the auth providers handled it. You either need to enable AutomaticChallenge on one of your auth providers, our tell MVC to challenge for specific providers.

[JimmyHannon]

The comment on the HandleResponse method states that all processing for the current request is discontinued and the request is returned to the client. However, i see that altough i call HandleResponse the middleware pipeline is continued and the next middleware gets called.
In the JwtBearerHandler AuthenticateResult.Success is called when HandledResponse is true.

Is the comment wrong or is the JwtBearerHandler not implementing as intended?

[akamud]

That's confusing me too. From what we can see from documentation, HandleResponse should skip all subsequent middlewares, this is not what is happening at the moment, at least not for Microsoft.AspNet.Authentication.BaseControlContext.HandleResponse()

[Tratcher]

Hmm, that text is overly optimistic. There are only some code paths where the events can terminate the request early, and this isn't one of them. The HandleResponse mechanic is something we incorporated from the OIDC middleware and it looks like we haven't done a good job of plumbing it through the other middleware in a consistent way. @HaoK, back to the whiteboard...

[Eilon]

As we are trying to shut down the work for RC2, we are moving this to the backlog.

[Ciantic]

edit Removed old one. Found a better way:

// This line must be before app.UserMvc() in the Configure
app.UseStatusCodePagesWithReExecute("/Error", "?status={0}");

[HttpGet("/Error"), HttpPost("/Error")]
public IActionResult Error([FromQuery] int status = 400)
{
    if (HttpContext.Request.Headers.ContainsKey("Accept") && 
        HttpContext.Request.Headers["Accept"].Contains("application/json"))
    { 
        if (status == 403) { 
            // TODO: There is no way to get claim here!
            return new JsonResult(new { error = "FORBIDDEN" });
        }
        else if (status == 401)
        {
            return new JsonResult(new { error = "LOGIN_REQUIRED" });
        }
        else
        {
            return new JsonResult(new { error = "UNDEFINED_ERROR" });
        }
    }
    // HTML Version if you wish ...
}