Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Produce 403 from custom AuthenticationHandler.HandleAuthenticateAsync #61323

Unanswered
maxkoshevoi asked this question in Q&A
Discussion options

I'm writing a custom authentication handler since the token I have is not standard. I've added my token validation logic to HandleAuthenticateAsync and return AuthenticateResult.Fail("[reason]") when some part of validation fails.

The token has Aud claim that stores audience, and I want to fail with 403 if token is valid, but audience isn't.

The only way I was able to do that is like this:

protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
 // ...
 var tokenAudience = ticket.Principal.Claims.Single(c => c.Type == "Aud");
 if (tokenAudience.Value != oAuthConfig.Value.Audience)
 {
 Context.Items[nameof(HttpStatusCode)] = (int)HttpStatusCode.Forbidden;
 return AuthenticateResult.Fail("Incorrect audience");
 }
 return AuthenticateResult.Success(ticket);
}
protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
{
 if (!Context.Items.TryGetValue(nameof(HttpStatusCode), out object? statusCode))
 {
 return base.HandleChallengeAsync(properties);
 }
 Response.StatusCode = (int)statusCode!;
 return Task.CompleteTask;
}
  • Why I cannot pass AuthenticationProperties? I can specify them in AuthenticateResult.Fail, but they come out empty in HandleChallengeAsync
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
 // ...
 return AuthenticateResult.Fail(failureMessage, new AuthenticationProperties
 {
 { nameof(HttpStatusCode), HttpStatusCode.Forbidden }
 });
}
protected override async Task HandleChallengeAsync(AuthenticationProperties properties) {} // properties are empty
  • Why it's not possible to generate authorization failure from HandleAuthenticateAsync? I know the name of the method suggests we should only do authentication there, but we still need to fail it in order to get to HandleChallengeAsync which is also not correct since authentication was successful, it's the authorization that's failed
You must be logged in to vote

Replies: 0 comments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
1 participant

AltStyle によって変換されたページ (->オリジナル) /